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Faster  satellite 
communications 
spark  new 
services 

BY  CAROLYN  DUFFY  MARSAN 


IT  EXECUTIVES  ARE  givingsatel- 
lite  communications  a  second  look,  as 
providers  deliver  faster,  more  afford¬ 
able  services  and  as  more  government 
agencies  and  large  corporations  focus 
on  keeping  networks  up  and  running. 

One  sign  of  this  trend:  The  U.S. 
government  has  announced  a  joint 
military/civilian  agency  purchase  for 
commercial  satellite  communications 
services  worth  an  estimated  $5  billion 
over  10  years.  The  feds  plan  to  request 
bids  from  satellite  communications 
providers  next  year  and  to  award  con¬ 
tracts  in  2011. 

“We  see  the  need  for  commercial 
satcom  service  to  continue  and  to 
increase  over  the  next  couple  of  years,” 
says  Kevin  Gallo,  program  manager 
for  satcom  services  at  the  U.S.  General 
Services  Administration. 

The  U.S.  government  is  interested  in 
commercial  satellite  services  for  tra¬ 
ditional  uses  —  emergency  response, 
remote  locations,  video  broadcast 
and  distance  learning  —  as  well  as  the 
emerging  area  of  continui  ty  of  opera¬ 
tions  (COOP). 

See  Satellites, page  20 


10G  Ethernet  shakes 
net  design  to  the  core 

Shift  from  three-  to  two-tier  architectures  accelerating 


BY  JIM  DUFFY 


THE  EMERGENCE  OF  10  Gigabit  Ethernet, 
virtualization  and  unified  switching  fabrics  is 
ushering  in  a  major  shift  in  data  center  network 
design:  three-tier  switching  architectures  are 
being  collapsed  into  two-tiers. 

Higher,  non-blocking  throughput  from  10G 
Ethernet  switches  lets  users  connect  server 
racks  and  top-of-rack  switches  directly  to  the 
core  network,  obviating  the  need  for  an  aggrega¬ 
tion  layer.  Also,  server  virtualization  is  putting 
more  application  load  on  fewer  servers  due  to 
the  ability  to  decouple  applications  and  operat¬ 
ing  systems  from  physical  hardware. 

More  application  load  on  less  server  hard¬ 
ware  requires  a  higher-performance  network. 

Moreover,  the  migration  to  a  unified  fabric 


that  converges  storage  protocols  onto  Ethernet 
also  requires  a  very  low  latency,  lossless  archi¬ 
tecture  that  lends  itself  to  a  two-tier  approach. 
Storage  traffic  cannot  tolerate  the  buffering  and 
latency  of  extra  switch  hops  through  a  three-tier 
architecture  that  includes  a  layer  of  aggregation 
switching,  industry  experts  say. 

All  of  this  necessitates  a  new  breed  of  high- 
performance,  low-latency,  non-blocking  10G 
Ethernet  switches  now  hitting  the  market.  And 
it  won’t  be  long  before  these  10G  switches  are 
upgraded  to  40G  and  100G  Ethernet  switches 
when  IEEE  standards  are  ratified  in  mid-2010. 

“Over  the  next  few  years,  the  old  switching 
equipment  needs  to  be  replaced  with  faster  and 
more  flexible  switches,”  says  Robin  Layland  of 
Layland  Consulting.  “This  time,  speed  needs 

See  Ethernet,  page  22 
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The  power  of  desktop  virtualization. 


Thousands  of  virtual  desktops 

and  applications,  in  any  combination,  now  in 
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Gates  does  Pittsburgh 

Bill  Gates  will  share  words  of  wisdom  on  Sept. 
22  at  the  opening  ceremony  for  a  computer 
science  center  bearing  his  name  at  Carnegie 
Mellon  University,  the  home  of  the  nation's 
first  such  department  in  1965.  The  Gates  Cen¬ 
ter  for  Computer  Science,  which  will  be  home 
to  undergraduate  computer  science  programs, 
is  funded  in  large  part  through  a  $20  million 
gift  from  the  Bill  &  Melinda  Gates  Foundation. 
The  Pittsburgh-based  center  will  be  part  of  a 
complex  also  including  the  new  Hillman  Cen¬ 
ter  for  Future-Generation  Technologies,  which 
is  also  being  dedicated  this  month. 


CLEAR  CHOICE  TEST: 

Block  insider  data  leaks 

TrendMicro,  Websense  offer  effect 
protection  at  the  endpoint. 
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Obama:  More  of  the  same 
on  privacy  front? 

U.S.  President  Barack 
Obama’s  administra¬ 
tion  received  mixed 
grades  from 
privacy  groups 
after  more  than 
seven  months  in 
power,  with  the  groups 
saying  Obama  has 
done  little  to  change  a 
surveillance-state  environ¬ 
ment  created  under  former 
President  George  Bush. 

The  Obama  administration 
gets  a  D  overall  for  civil  lib¬ 
erties,  including  a  D-  for 
electronic  surveillance 
and  a  D  for  the  way  that  state  and  local  fusion 
centers  run  by  the  U.S.  Department  of  Home¬ 
land  Security  collect  data  on  U.S.  residents, 
said  Chip  Pitts,  president  of  the  board  for  the 
Bill  of  Rights  Defense  Committee. 


Gadget  vendors  put  on  alert  by  EU 

Over  half  of  all  online  sellers  of  consumer  elec¬ 
tronics  in  the  European  Union  are  suspected  of 
having  broken  consumer  protection  laws,  the 
European  Commission  said  last  week.  Their 
alleged  offenses  include  concealing  delivery 
charges,  misleading  consumers  about  prod¬ 
ucts  and  failing  to  honor  consumers’  rights  to 
return  unwanted  purchases  within  the  E.U.- 
wide  minimum  period  of  a  week.  Consumer 
groups  will  contact  the  alleged  offenders  order¬ 
ing  them  to  conform  with  consumer  protection 
laws.  The  Commission  has  warned  that  if  the 
offenses  persist  it  will  close  down  the  Web  sites. 
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PEERSAY 


Is  privacy  a  reasonable 
expectation? 

Re:  ‘Wiretapping’  charges  may  be  the  silliest 
ever  recorded  (http://tinyurl.com/m43qn9): 

Some  people  do  stupid  things  when  they 
think  they  are  not  being  watched  or  overheard. 

I  think  you  should  give  them 
the  chance  to  do  the  right  thing 
instead. 

Letting  the  other  parties 
know  that  they  are  being 
recorded  just  may  prevent 
them  from  doing  or  saying 
something  stupid.  It  doesn’t 
always  work,  but  they  should 
be  given  the  chance.  That  is  why  depositions  are 
recorded  in  the  open.  Keeps  things  civil  and  on  a 
professional  level.  (Most  of  the  time.) 

The  only  reason  to  record  in  secret  is  if  you 
want  to  instigate  or  promote  conflict,  or  keep  a 
record  to  instigate  future  conflict.  Not  usually  a 
good  business  practice. 

Stew 


£/No  [government] 
BB  agency  wants 
another  one  telling 
them  how  to  run 
their  house.” 

DIGITALSNIPER 


This  wasn’t  a  phone  call,  it  was  a  conversation 
in  or  at  a  place  of  business  open  to  the  public 
at  large. 

Two-party  consent  laws  are  in  place  to  pro¬ 
tect  an  expectation  of  privacy.  If  you  call  some¬ 
one  on  the  phone,  you’re  engaged  in  a  discrete, 
intentional  two-party  conversation  that  carries 
with  it  the  expectation  that  what  you  say  into  the 
receiver  isn’t  heard  by  a  third  party. 

A  public  conversation,  at  a  car  dealership 
for  example,  that  can  be  easily  overheard  by  a 
mechanic,  or  a  salesman,  or  another  customer, 
or  witnessed  by  any  third  party  carries  with  it 
no  reasonable  expectation  of  privacy  and  there¬ 
fore  cannot  be  held  to  the  same  standard.  It’s 
what  allows  you  to  take  a  photograph  or  make  a 
video  recording  of  your  kids  playing  in  the  park 
without  violating  the  same  consent  laws  that  the 
police  are  trying  to  apply  in  this  instance. 

Unless  the  recorded  conversation  took  place 
between  only  two  people,  in  a  room  behind 
closed  doors,  the  “wiretapping”  charge  would 
almost  certainly  be  thrown  out. 

Anon 


Expect  robocalls  to  return 
in  time  for  elections 

Re:  FTC  rules  outlawing  those  damned  annoy¬ 
ing  robocalls  hit  Sept.  1  (http://tinyurl.com/ 
lpfcgz): 

Assuming  the  robocalls  actually  stop,  that’ll 
cut  the  annoying  calls  in 
half.  That  still  leaves  lots 
and  lots  of  political  calls. 
During  the  last  election 
my  answering  machine 
received  dozens  of  calls  a 
day.  It  got  so  bad  we  con¬ 
sidered  unplugging  the 
phone  entirely. 

Too  bad  it’ll  never  get  outlawed  since  politi¬ 
cians  actually  make  the  rules. 

Anon 

Turf  war  rule  government 
cybersecurity 

Re:  Federal  IT  strategy,  hope  over  reality  (http:// 
tinyurl.com/p9mlcu): 

This  is  nothing  new  and  shouldn’t  come  as  a 
surprise  to  anyone.  I’ve  worked  in  the  govern¬ 
ment  and  the  contractor  site  of  cybersecurity 
and  the  issue  is  turf  wars. 

No  agency  wants  another  telling  them  how 
to  run  their  house.  The  top  levels  (White  House, 
DoD)  are  afraid  of  creating  animosity  and  rifts 
between  agencies  if  they  implement  stiff  orders 
and  tap  someone  with  ties  to  one  government 
agency.  That’s  how  ridiculous  they  operate. 

NSA  and  DIA  have  enough  problems  to  deal 
with,  the  service  components  all  hate  each  other, 
the  CIA  doesn’t  really  have  a  clue  about  cyber¬ 
security  and  DISA  obviously  can’t  do  the  job  or 
there  wouldn’t  be  an  issue.  Although,  I  believe 
DISA  should  be  the  one  responsible  for  the  secu¬ 
rity  and  whack  the  heck  out  of  anyone  who  steps 
out  of  line. 

There  is  no  appeasing  in  this  process  and 
consequences  have  to  be  firm.  I  guess  they  could 
spend  a  gazillion  dollars  and  hire  some  IBM  or 
KPMG  type  to  come  in  to  ideate  about  what 
could  and  should  be  done  but  never  really  get 
anywhere.  Oh  yeah,  they  already  do  that. 

DigitalSniper 


One-Day  IT  Event  Coming  to  a  City  Near  You! 


SS  10-IT  tracks;  Vendor  Expo;  Peer  Case-Studies 
iSS  Feature  sessions  include:  Security; 

WAN  Services;  Network  Management; 
Virtualization;  Data  Centers;  SaaS;  Green  IT; 
UC;  VoIP;  Mobility;  Application  Delivery 
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BLOGOSPHERE 

■  Microsoft  says  Google  book  settlement  is 
unconstitutional,  anti-competitive.  Network 
World's  Google  Subnet  reports  that  Microsoft 
is  crying  foul  over  a  recently  proposed  deal 
that  would  give  Google  access  to  millions  of 
digitized  books,  calling  it  an  “anti-competi¬ 
tive”  action  that  would  create  “a  monopoly 

in  digital  books.”  The  company  argues  that 
the  deal  goes  against  the  U.S.  Constitution 
because  the  Constitution  grants  copyright 
power  to  Congress,  not  to  the  judicial  branch. 
Many  interested  parties  have  risen  up  against 
the  deal,  including  the  EFF  and  Bruce  Sch- 
neier.  Why  does  Microsoft  care?  If  you  said 
"Because  it  would  really  like  to  do  the  same 
thing,”  I  would  say  “Bing-o.”  The  company's 
complaint  says  it  also  cares  because  it  is 
a  publisher  of  books,  but  that  naturally 
pales  in  comparison  to  the  opportunity  to 
be  a  fly  in  Google's  ointment  once  more. 
http://tinyurl.com/H94xw 

■  Small  Business  Server  2008:  Turning 
‘OFF’  IPv6  could  be  dangerous.  Network 
World  blogger  Ron  Barrett  notes  that  many 
small  to  midsize  businesses  have  not 
adopted  IPv6  and  many  are  sticking  with  the 
old  IPv4  format  of  dotted  decimal.  I  love  the 
idea  that  the  128bit  address  space  means 
we  will  never  run  out  of  IP  addresses  (even 

if  every  single  human  being  on  the  earth  has 
100  PCs  and  laptops  in  their  home).  However, 
I  wonder  if  we  couldn’t  just  accomplish  the 
same  with  something  with  the  dotted  decimal 
format.  Perhaps  more  digits  in  each  octet  or 
more  octets  per  address.  It  seems  in  an  age 
where  we  are  trying  to  make  these  server 
operating  systems,  routers,  desktop  OS  and 
everything  else  ‘more  user  friendly’  IPv6 
becomes  more  machine  like,  but  I  digress. 

He  came  across  an  issue  where  he  needed 
to  provide  a  static  IPv6  site-local  address 
(these  are  the  equivalent  to  the  private  IP 
ranges  in  IPv4).  Of  course,  because  we  are 
working  with  hexadecimal  and  not  dotted 
decimal  after  the  initial  FEC  -  FEF  parameter 
the  rest  is  pretty  much  guess  work.  We  got 
it  working  (restart  was  down  to  eight  to  nine 
minutes)  and  now  we  sit  and  wait  to  see  if  the 
server  will  shut  down  services  again  (but  as 
of  yesterday  there  were  no  errors  in  the  event 
log  to  indicate  it  should).  Lesson  learned 
here:  Do  not  over-complicate  a  client’s 
environment ...  my  friend  inherited  this  client 
after  they  tossed  the  last  consulting  firm.  The 
client  had  no  need  for  SBS  2008;  they  are 
using  POP  mail  so  Exchange  Server  was  a 
waste  for  them.  But  now  the  backup  software, 
antivirus  and  other  package  on  the  server 
were  purchased  for  SBS,  and  so  there  is  no 
turning  back,  http://tinyurl.com/oeqqdg 
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Interviews,  the  Coolest  Tools  and  More 


IDG  News  Wire 

Steve  Jobs  on 
stage! 

Apple  CEO  Steve  Jobs  took 
the  stage  at  an  event  last 
week  to  introduce  new  iPod 
products,  his  first  public 
appearance  after  taking 
a  long  medical  leave  of 
absence. 

http://tinyurl.com/p7v5xj 


IDG  News  Wire 

T-Mobile  and 
Orange  merge 
in  the  U.K. 

The  combined  cell  phone  car¬ 
rier  will  be  the  largest  in  the 
United  Kingdom.  The  merger 
is  expected  to  lead  to  cost 
savings  and  wider  network 
coverage,  the  carriers  said. 
http://tinyurl.com/p7gzj2 


IDG  News  Wire 

Toshiba  offers 
Media  Manager  for 
home  networks 

The  software,  due  for  release 
later  this  year,  will  allow  drag 
and  drop  control  of  a  DLNA 
network  from  a  PC. 
http://tinyurl.com/qthtrn 
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New  attacks  on  cloud 
services  call  for  due  diligence 


CLOUD  SECURITY:  Academics  have  figured 
out  a  way  to  find  particular  applications  run¬ 
ning  within  cloud  providers’  networks  and 
to  threaten  their  security.  Researchers  at  the 
University  of  California  at  San  Diego  and  at 
M.I.T.  say  they  can  buy  cloud  services  from 
Amazon  and  place  a  virtual  machine  on  the 
same  physical  machine  as  a  target  application. 
Once  there,  they  can  use  their  VMs  access  to 
the  shared  resources  of  the  physical  machine 
to  steal  data  such  as  passwords.  The  technique 
is  experimental  and  doesn’t  work  all  the  time, 
but  it  indicates  that  service  providers’  clouds 
are  susceptible  to  new  types  of  attacks  not  seen 
before,  the  researchers  say.  And  while  they 
attacked  inside  Amazon’s  EC2  cloud,  they  say 
their  method  would  work  equally  well  with 
other  cloud  providers.  The  researchers  say 
that  one  way  around  the  weakness  they  found 
is  for  customers  to  insist  that  their  VMs  are 
placed  on  physical  machines  that  only  they  can 
access  or  that  they  and  trusted  third  parties 
can  access.  This  solution  will  likely  be  at  a  price 
premium  because  part  of  the  economy  of  cloud 
services  is  maximizing  use  of  physical  serv¬ 
ers  by  efficiently  loading  them  up  with  VMs. 
http://tinyurl.com/og8tll 


IT  BEST  PRACTICES:  Every  organization 
has  sensitive  information  that  it  does  not  want 
the  public  to  see.  Nevertheless,  this  informa¬ 
tion  often  makes  its  way  to  the  public  Internet, 
either  by  accidental  or  intentional  exposure. 

For  example,  in  2007  payment  records  for 
more  than  30,000  patients  of  Sky  Lakes 
Medical  Center  in  Oregon  were  viewable  on  the 
Internet  for  nearly  a  month  when  a  contractor 
copied  the  records  from  one  server  to  another  to 
perform  maintenance.  Unfortunately,  this  kind 
of  thing  happens  every  day,  and  the  organiza¬ 
tions  whose  information  is  exposed  have  no 
idea.  Could  this  happen  to  your  company? 

The  truth  is,  you’re  probably  exposing  much 
more  than  you  know,  according  to  executives 
at  Exobox  Technologies.  They  have  chosen  to 
focus  on  an  untapped  area  of  data  security  they 
call  “data  leak  detection.”  Instead  of  trying  to 
prevent  sensitive  data  from  leaving  the  network 
confines,  the  Exobox  SaaS  solution  called 
ExoDetect  tells  you  what  has  already  escaped. 

If  this  sounds  a  bit  like  closing  the  barn  door 
after  the  horses  have  run  off,  let  me  assure  you, 
there’s  still  plenty  of  value  in  knowing  where 
the  horses  have  gone. 
http://tinyurl.com/qo2r26 
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HARNESS  THE  POWER  OF 
VIRTUALIZATION  FOR  YOUR  BUSINESS 


express 

advantage 


The  IBM  System  x3550  M2  Express,  powered  by  the  Inter  Xeorf  processor  5500  series, 
is  one  of  the  industry’s  leading  x86  servers  for  virtualization.  With  its  Integrated  Management 
Module,  you  can  easily  manage,  monitor  and  troubleshoot  your  physical  and  virtual  servers 
locally  and  remotely.  Allowing  you  to  reduce  the  cost  of  managing  your  IT. 


IBM  SYSTEM  x3550  M2  EXPRESS 

$2,589 

OR  $67/MONTH  FOR  36  MONTHS1 

PN: 7964-E2U 

Featuring  up  to  2  Intel*  Xeon*  processor  5500  series 
Energy-efficient  design  incorporating  low  675  W  and  92%  efficient  PS, 
6  cooling  fans,  altimeter. 


VMware®  vSphere™  4.0  ESSENTIALS  KIT 


License,  Subscription  and  Support  required 

License  Only:  VMware  vSphere  4.0  Essentials  Kit,  3-2  Socket  Hosts, 

PN:4817VA8$879 

Subscription  Only:  VMware  vSphere  4.0  Essentials  Kit  -  3-2  Socket 

Hosts,  PN:  4817SA8  - 1  year,  $119  _ 

VMware  RTS:  1-year  support,  PN:  51 J8632  $284 


IBM  SYSTEM  STORAGE™  DS3200  EXPRESS 

,495 

OR  $116/MONTH  FOR  36  MONTHS' 

PN:  172621 X 

External  Disk  Storage  with  4  Gbps  Fibre  Channel  interface  technology 

Scalable  to  3.6  TB  of  storage  capacity  with  300  GB  hot-swappable  SAS  HDDs 
or  up  to  9  TB  of  storage  capacity  with  750  GB  hot-swappable  SATA  HDDs 


LEARN  MORE 

about  the  benefits  of  virtualization 
with  IBM  and  VMware 

ibm.com/systems/virtualize 
866-872-3902  (mention  6N8AH20AV 


IBM  Globa!  Financing  offerings  are  provided  through  IBM  Credit  LI.C  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers.  Monthly  payments  provided  are  for  planning 
purposes  only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  otter  provided  is  based  on  a  FMV  lease  of  36  monthly  payments.  Other  restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without 
notice.  VMware  and  vSphere  are  registered  trademarks  of  VMware,  Inc.  www.vmware.com.  iBM,  the  IBM  logo.  IBM  Express  Advantage,  System  Storage  and  System  x  are  registered  trademarks  or  trademarks  of  International  Business  Machines 
Corporation  in  the  United  States  and/or  other  countries.  For  a  complete  list  of  IBM  trademarks,  see  www  ibm  corn/legal/copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  of  Intel  Corporation  in  the  U  S  and  other  countries. 
All  other  products  may  be  trademarks  or  registered  trademarks  ol  their  respective  companies.  All  prices  and  savings  estimates  are  subject  to  change  without  notice,  may  vary  according  to  configuration,  are  based  upon  IBM's  estimated  retail  selling 
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Follow  these  links  to  more  resources  online 


Microsoft  forms  new 
open  source  foundation 

icrosoft  has  founded  and  is  providing  the  funding  for  a  new  non¬ 
profit  foundation  aimed  at  bringing  open  source  and  proprietary 
software  companies  together.  According  to  its  Web  site,  the  Code- 
Plex  Foundation  “will  complement  existing  open  source  founda¬ 
tions  and  organizations,  providing  a  forum  in  which  best  practices 
and  shared  understanding  can  be  established  by  a  broad  group  of  participants, 
both  software  companies  and  open  source  communities.”  CodePlex  has  for  some 
time  been  the  name  of  the  site  on  which  Microsoft  hosts  open  source  projects. 
Microsoft  contributed  $1  million  and  the  CodePlex  name  to  the  foundation, 
which  will  license  that  name  back  to  the  CodePlex  Web  site  so  it  can  continue 
using  it.  http://tinyurl.com/ngh3o4 


Cisco  fixes  TCP  denial-of-service  bug.  Cisco 
last  week  issued  a  patch  for  a  denial-of-service 
vulnerability  that  affects  multiple  products. 
The  vulnerability  allows  attackers  to  manipu¬ 
late  the  state  of  TCP  connections,  according 
to  a  Cisco  security  advisory.  By  manipulating 
the  state  of  a  TCP  connection,  an  attacker 
could  force  it  to  remain  in  a  long-lived 
state,  possibly  indefinitely.  If  enough  TCP 
connections  are  forced  into  a  long-lived  or 
indefinite  state,  system  resources  maybe 
consumed,  preventing  new  TCP  connec¬ 
tions  from  being  accepted  and  thus  initiat¬ 
ing  a  DoS  condition.  To  exploit  these  vulner¬ 
abilities,  an  attacker  must  be  able  to  complete 
a  TCP  three-way  handshake  with  a  vulnerable 
system,  the  advisory  states.  The  bug  was  first 
discovered  a  year  ago  by  Outpost24,  a  Swedish 
provider  of  network  security  products. 
http://tinyurl.com/nrf6c4 

White  House  CIO  to  disclose  cloud  comput¬ 
ing  plans.  White  House  CIO  Vivek  Kundra 
will  explain  how  the  federal  government  plans 
to  offer  cloud  computing  services  to  U.S.  agen¬ 
cies  at  a  press  event  set  for  Tuesday.  The  event 
is  a  likely  setting  for  Kundra  to  roll  out  the  first 
phase  of  the  government’s  cloud  computing 
storefront,  which  will  give  agencies  a  central 
place  to  acquire  simple  collaboration  and 
productivity  tools.  Kundra  has  been  backing 
cloud  computing  as  a  way  to  cut  government 
IT  costs,  by  making  inexpensive  and  easy- 
to-deploy  computing  services  available  via 
the  Internet.  The  initial  phase  of  the  cloud 
storefront  —  based  on  public  cloud  comput¬ 
ing  resources  —  is  not  expected  to  be  used  for 
sensitive  applications,  but  by  next  year  the 
government  would  like  to  offer  cloud-based 
services  that  are  hosted  in  private  data  centers 
and  which  could  be  used  to  handle  more  sensi¬ 
tive  data. 

http://tinyurl.com/nnvrwf 


Motorola 
Cliq  unveiled. 

Motorola  announced  its 
first  Android  smartphone,  which  will  ship  in 
the  fourth  quarter  with  T-Mobile  USA  under 
the  name  Cliq.  The  touchscreen  phone  will 
use  an  upcoming  Internet-based  service  for 
Motorola  phones,  called  Motoblur,  which  will 
integrate  information  from  users’  contacts 
on  a  variety  of  social-networking  services 
including  Facebook,  Twitter  and  MySpace.  All 
settings  and  data  for  the  Motoblur  service  will 
be  maintained  in  a  cloud  infrastructure,  so  if 
a  phone  is  lost  or  stolen,  it  can  be  wiped  clean 
remotely.  When  the  user  retrieves  the  phone 
or  gets  a  new  one,  he  can  log  back  in  with  the 
same  username  and  password  and  get  all  the 
data  back,  according  to  Sanjay  Jha,  co-CEO 
of  Motorola.  The  Cliq  will  have  a  slide-out 
QWERTY  keyboard  as  well  as  a  touchscreen. 

It  will  come  with  Wi-Fi  and  3G  connectivity. 
http://tinyurl.com/nsuw6x 

IBM,  European  researchers  develop 
multimedia  search  tool.  IBM,  working 
with  researchers  in  Europe,  claims  to  have 
developed  a  better  way  to  search  online  for 
photos  and  videos  than  current  methods  used 


by  Google  and  Yahoo.  The  developers  call  their 
technology  SAPIR,  for  Search  in  Audio-Visual 
Content  Using  Peer-to-Peer  Information 
Retrieval.  It  indexes  and  analyzes  “low-level 
descriptors,”  or  attributes  such  as  color,  layout, 
shape  and  sounds,  in  photos  and  videos.  The 
technology  then  compares  those  descriptors 
with  other  existing  photos  to  help  identify 
what’s  in  the  picture.  That’s  different  from 
the  approach  taken  by  most  existing  search 
technologies,  which  typically  sift  through 
images  based  on  text  tags  assigned  to  the 
photos.  The  researchers  are  still  tweaking  the 
technology  and  it  will  be  “some  time”  before  it’s 
productized  by  IBM,  said  IBM  spokesman  Ari 
Fishkind.  With  improvements,  the  technol¬ 
ogy  could  produce  applications  that  might  let 
someone  take  a  picture  of  an  item  and  discover 
stores  that  sell  the  item.  Or  doctors  might  be 
able  to  use  it  to  assist  with  diagnoses,  IBM 
said,  http://tinyurl.com/kj47qb 

Oops,  there  goes  another  data-loss 
prevention  vendor.  In  the  latest  sign  of 
data-loss  prevention  market  consolida¬ 
tion,  Trustwave  announced  it  has  acquired 
Vericept  for  an  undisclosed  amount.  Chicago- 
based  Trustwave  is  active  in  compliance 
services  and  assessments  associated  with 
the  Payment  Card  Industry’s  Data  Security 
Standard  for  protecting  credit  and  debit 
cardholder  data.  It’s  in  this  area  in  particular 
where  the  Vericept  DLP  technology  is  expected 
to  play  a  useful  part,  says  Robert  McCul- 
len,  Trustwave’s  chairman  and  CEO.  “One 
primary  use  will  be  to  help  in  compliance.”  The 
buyout  is  the  latest  in  a  stream  of  DLP  deals 
over  the  past  couple  of  years.  Among  those 
deals:  McAfee  buying  Reconnex  about  a  year 
ago  and  CA  acquiring  Orchestria  in  January. 
http://tinyurl.com/lnyexs 

Mozilla  releases  Flash-checking  secu¬ 
rity  update.  Mozilla  is  pushing  out  a  new 
release  of  its  flagship  Firefox  browser  that 
fixes  critical  security  vulnerabilities  in  the 
software  and,  for  the  first  time,  checks  to  see 
if  the  browser’s  Flash  Player  is  up-to-date. 

The  Firefox  3.5.3  and  3.0.14  updates  were 
released  last  Wednesday,  a  day  after  Micro¬ 
soft  pushed  out  its  monthly  set  of  security 
patches.  By  actively  checking  for  up-to-date 
Flash  software,  Mozilla  hopes  to  give  users 
a  smoother  and  more  secure  Web  browsing 
experience.  Mozilla  decided  to  focus  on  the 
Flash  Player  “both  because  of  its  popularity 
and  because  some  studies  have  shown  that 
as  many  as  80%  of  users  currently  have  an 
out  of  date  version,”  said  Mozilla  spokes¬ 
man  Johnathan  Nightingale.  “Mozilla  will 
work  with  other  plugin  vendors  to  provide 
similar  checks  for  their  products  in  the  future.” 
http://tinyurl.com/lua  7mt 
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No  alternative  to  Microsoft 
Office?  IBM  begs  to  differ 


BY  JOHN  FONTANA 


IBM  last  week  announced  upgrades  to  and  a 
road  map  for  its  15-month-old  Lotus  Sym¬ 
phony  suite  of  productivity  tools,  emphasiz¬ 
ing  this  as  an  alternative  to  Microsoft  Office. 
The  move  comes  after  Microsoft  recently 
said  that  a  court  order  to  remove  Office  from 
store  shelves  next  month  could  leave  consumers 
and  businesses  “stranded  without  an  alternative 
set  of  software.” 

Microsoft  is  battling  a  patent  infringement 
case  brought  by  i4i  over  XML  file  formats.  The 
2007  case  resulted  in  a  $290  million  judgment 
against  Microsoft  and  an  injunction  that  bars 
it  from  selling  Word  2003  and  Word  2007 
after  Oct.  10  unless  the  offending  technology  is 
removed. 

“What  we  are  trying  to  do  with  Symphony  is 


establish  that  there  is  an  option  in  the  market 
and  companies  don’t  have  to  spend  the  money 
they  spend  for  productivity  suites,”  says  Ed 
Brill,  director  of  product  management  for  Lotus 
Software. 

Along  with  Symphony,  Google  Docs  and 
OpenOffice  are  other  productivity  suite  alter¬ 
natives  to  Microsoft’s  Office,  which  dominates 
market  share  and  is  a  revenue  gold  mine  for  the 
company. 

“Symphony  is  not  a  product  that  we  just  threw 
out  there,”  said  Brill.  “We  have  been  investing  in 
an  on-going  basis.” 

IBM  plans  to  release  Symphony  2.0  in  2010, 
the  same  timeframe  Microsoft  plans  the  next 
version  of  Office.  Code  named  Vienna,  the  Sym¬ 
phony  2.0  software  will  be  based  on  the  most 
recent  version  of  OpenOffice. 

But  for  now  IBM,  which  offers  Symphony  as 
a  free  download  and  the  default  productivity 
software  in  Notes/Domino  8,  is  adding  a  new  set 


of  drag-and-drop  widgets  that  include  integra¬ 
tion  with  popular  Microsoft  backend  software 
such  as  the  SharePoint  Server.  The  software  also 
integrates  with  Google  Gadgets  and  Lotus’s  own 
Sametime  and  Connections  platforms. 

Part  of  the  widget  package  is  the  OrgChart 
Widget,  which  integrates  with  profiles  in  Lotus 
Connections  so  users  can  be  added  into  meetings 
that  convene  online  with  a  single  click. 

Other  widgets  include  the  Learning  Widget, 
which  combines  local  and  Web-based  informa¬ 
tion;  a  Team  Workspace  Widget  that  provides 
access  to  documents  stored  in  Lotus  Quickr  or 
Microsoft  SharePoint;  the  Symphony  2  Wiki 
Widgets  provide  conversion  of  documents  for 
publishing  on  wikis;  the  Treasure  Box  Widget 
keeps  a  “favorites  list”  inside  Symphony  of  fre¬ 
quently  used  documents,  graphics  and  applica¬ 
tions;  and  the  Export  Graphic  Widget  supports 


export  of  common  formats  such  as  .gif,  -jpeg, 
.png,  .bmp. 

In  addition,  the  ChartShare  Widget  provides 
screen  sharing  for  up  to  20  people  with  support 
for  co-creation  and  editing  of  presentations.  It 
also  supports  integration  with  Lotus  Sametime 
Uny  te  Live’s  meeting  capability.  The  ChartShare 
Widget  also  gives  presence  information  on  every 
contributor  to  the  presentation  and  a  link  to 
instant  messaging. 

The  widgets  work  with  Symphony  1.3,  which 
features  support  for  Microsoft  Office  2007  file 
formats  such  as  .docx,  xlsx,  and  .pptx.  The  .docx 
format  is  part  of  the  ongoing  i4i  patent  infringe¬ 
ment  suit  against  Microsoft. 

Symphony  is  available  for  Mac,  Windows, 
Ubuntu  Linux,  Red  Hat  Linux  and  Suse  Linux. 
Symphony  is  available  for  free  from  the  IBM 
Web  site. 

IBM  offers  flat-fee  support  contracts  to  large 
corporate  users  for  $26,000  per  year.  ■ 


AVAILABLE, 
EVEN  WHEN 
YOU’RE  NOT. 

Our  Integrated  Management  Module 
provides  automated,  proactive, 
intelligent  management  of  your  IBM 
servers  to  keep  them  running.  • 


!*=y=  express 

advantage™ 


IBM®  SYSTEM  x3650 
M2  EXPRESS 
$2,029 

PN: 7947E1 U 

Featuring  up  to  2  Intel®  Xeon®  processor 
5500  series  _  _  ^ 

16  DIMM  sockets  1333  MHz  DDR-3 
RDIMMs  (128  GB  max) 


ibm.com/systems/available 
866*872-3902  (mention  6N8AH21A) 
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The  Export  Graphic 
Widget  supports  the 
exporting  of  graphics, 
shapes  and  charts 
created  in  IBM  Lotus 
Symphony  to  files 
in  common  formats, 
including  .gif,  .jpeg, 
.png  and  .bmp. 
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Wireless  techs  aid  'telehealth’ 

Smarter  devices  to  go  hand-in-hand  with  higher-speed  networks 


BY  BRAD  REED 


When  carriers  announce  plans  to 
build  out  faster  4G  wireless  net¬ 
works  or  to  ramp  up  the  speeds 
of  their  current  3G  network,  talk 
typically  turns  to  how  it  will  ben¬ 
efit  consumer  applications  such  as  mobile  gam¬ 
ing  or  high-definition  video  streaming. 

But  perhaps  an  even  more  important  aspect 
of  increased  mobile  data  speeds  will  be  their 
impact  on  the  mobile  “telehealth”  devices  that 
doctors  are  increasingly  using  to  keep  track  of 
their  patients’  conditions.  A  study  released  this 
summer  by  ABI  Research  projects  that  there  will 
be  approximately  15  million  wireless  telehealth 
sensors  and  devices  in  use  by  2012,  or  more  than 
double  the  number  of  wireless  telehealth  sys¬ 
tems  in  use  today.  ABI  says  that  these  systems 
will  be  used  primarily  to  “monitor  and  track  the 
status  of  patients  with  chronic  conditions”  so 
that  their  providers  can  detect  early  warning 
signs  before  they  become  dangerous. 

“We’re  going  to  see  a  lot  more  use  of  embedded 
cellular  technology  in  telehealth  applications,” 
says  ABI  analyst  Sam  Lucero.  “What  we’re  look¬ 
ing  at  is  embedding  cellular  connections  into 
remote  card  devices  to  monitor  chronic  diseases 
as  well  as  a  separate  category  of  telehealth  called 
ambient  assisted  living  where  you  have  sensors 
in  your  home  or  facility  to  monitor  a  person’s 
activity.” 

One  organization  that  has  b^en  a  strong  advo¬ 
cate  of  adopting  remote  telehealth  systems  has 
been  the  Center  for  Connected  Health,  a  Boston- 
based  division  of  the  PartnersHealthcare  orga¬ 
nization.  The  center  has  approximately  2,000 
patients  in  Massachusetts  signed  up  for  its  pro¬ 
grams  that  include  initiatives  that  use  technol¬ 
ogy  to  help  patients  manage  their  hypertension, 
diabetes  and  weight.  Essentially,  the  center’s 
programs  work  like  this:  let’s  say  that  you  have 
chronic  hypertension  and  that  you  need  to  con¬ 
stantly  monitor  your  blood  pressure.  Under  the 
center’s  SmartBeat  program,  you  would  take 
your  blood  pressure  twice  a  week  on  a  digital 
monitor  that  connects  directly  to  the  Web. 

Once  you’ve  taken  your  blood  pressure,  you 
would  then  send  it  over  the  Internet  to  the  cen¬ 
ter’s  main  database.  From  there,  the  center  col¬ 
lects  the  data  and  compares  it  with  data  taken 
from  the  past  few  days.  The  center  makes  a  chart 
of  the  data  that  tracks  your  progress  over  the  last 
few  days,  weeks  or  months.  It  then  sends  you 
periodic  notices  telling  you  whether  your  blood 
pressure  is  improving  or  deteriorating. 

Doug  McClure,  the  corporate  manager  of 
technology  services  for  Partners  Telemedicine, 
says  that  while  the  system  is  helping  to  give 


The  body  connected 

Although  ABI  projects  that  health 
care  sensors  will  grow  dramatically 
over  the  next  few  years,  sensors  for 
professional  on-site  health  care  and 
health  management  today  make  up 
less  than  20%  of  the  wireless  body 
sensor  market. 
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let  providers  know  that  patients  are  taking  their 
medications.  With  true  wireless  broadband 
connectivity,  McClure  imagines  that  large  and 
more  complex  forms  of  medical  data  can  be  sent 
wirelessly  and  automatically  to  the  center’s  data 
server,  thus  removing  the  burden  from  patients 
of  having  to  send  the  data  manually. 

Wireless  telehealth  devices  aren’t  only  being 
developed  by  the  relatively  small  industry  play¬ 
ers.  Earlier  this  year,  Intel  and  General  Electric 
made  waves  when  they  announced  that  they 
were  spending  a  combined  $250  million  over 
the  next  five  years  to  research  new  home  health 
technology,  as  well  as  to  jointly  market  their  cur¬ 
rent  telehealth  devices. 

Intel  says  it  is  working  with  GE  to  research 
and  prototype  devices  specifically  for  assisted 
living  situations.  One  overarching  goal  for  the 
partnership,  according  to  Intel,  is  to  develop 
technology  that  would  give  users  access  to 
healthcare  applications  on  their  smartphones 
and  would  let  them  send  and  receive  informa¬ 
tion  about  their  personal  health  status  through 
their  personal  mobile  device. 

“We  are  going  to  see  more  use  of  mobile  phones 
to  act  as  gateways  devices,”  Lucero  says.  “Essen¬ 
tially  you’ll  have  censors  on  the  body  that  will 
connect  to  your  own  mobile  phone  and  that  will 


4  A  We  can  avoid  making  it  a  chore  for  the  user  by 
II  making  devices  smarter  and  giving  them  the  ability 
to  take  advantage  of  the  ubiquitious  networks.” 

DOUG  MCCLURE,  CORPORATE  MANAGER  OF  TECHNOLOGY  SERVICES,  PARTNERS  TELEMEDICINE 


healthcare  providers  a  more  accurate  and  up-to- 
date  picture  of  how  their  patients  are  doing,  it  is 
inhibited  somewhat  because  most  digital  medi¬ 
cal  devices  are  limited  to  wireline  access  that 
require  patients  to  hook  up  the  device  to  their 
computer  before  sending  it  out  to  the  center’s 
database.  McClure  says  he  expects  this  system 
to  be  improved  when  more  devices  either  hook 
onto  cellular  technologies  such  as  GSM  or  IP- 
based  technologies  such  as  WiMAX. 

“Where  we’re  going  with  these  devices, 
whether  it’s  with  GSM  or  with  WiMAX,  you’re 
going  to  see  the  data  completely  disappear  into 
the  device,”  he  explains.  “It  will  make  the  whole 
process  for  how  we’re  able  to  gather  informa¬ 
tion  for  people  easier.  We  can  avoid  making  it 
a  chore  for  the  user  by  making  devices  smarter 
and  giving  them  the  ability  to  take  advantage  of 
the  ubiquitous  networks  out  there.” 

As  one  example  of  what  wireless  telehealth 
sensors  could  soon  be  able  to  do,  McClure  points 
to  devices  such  as  the  Vitality  GlowCap,  a  medi¬ 
cine  bottle  whose  cap  sends  a  signal  out  through 
a  Wi-Fi  connection  every  time  it  is  removed  to 


act  as  a  gateway  for  the  service  provider.” 

For  his  part,  McClure  says  the  most  excit¬ 
ing  advances  in  mobile  telehealth  devices  will 
come  not  only  when  health  applications  can  be 
accessed  from  smartphones  but  when  telehealth 
devices  all  become  interoperable. 

“We’ve  gotten  200  leading  companies  in  the 
field  to  come  together  to  make  sure  these  devices 
are  as  interoperable  as  possible,”  he  says.  “While 
going  through  a  whole  bunch  of  interoperability 
standards  can  sound  dry  at  first  but  in  the  future 
they’ll  enable  you  to  go  into  a  Best  Buy  and  you 
can  know  that  the  devices  you  purchase  will 
talk  to  each  other  so  you  don’t  need  to  buy  extra 
accessories  . . .  this  will  also  make  it  easier  for 
users  to  get  data  to  us  more  easily.  That’s  going 
to  be  a  big  breakthrough  for  us.”  ■ 

WIRELESS  IN  THE 
ENTERPRISE  . 
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Make  yourself  layoff-proof 

10  tips  to  avoid  a  trip  to  the  unemployment  office 


BY  DENISE  DUBIE 


DESPITE  TALK  OF  an  economic  recovery  on 
the  horizon,  countless  lost  jobs  won’t  be  replaced 
and  IT  organizations  are  still  weighing  layoffs  as 
a  way  to  cut  operations  budgets. 

Recent  survey  data  from  Forrester  Research 
shows  more  than  60%  of  IT  managers  expect  to 
cut  staff  this  year. 

“Right  now,  even  the  boss  is  worried  about  his 
position,”  says  Adam  Lawrence,  vice  president  of 
service  delivery  at  talent  and  outsourcing  service 
provider  Yoh.  “They  are  looking  for  staff  accom¬ 
plishments  to  take  to  their  managers  to  justify  the 
existence  of  remaining  team  members.” 

Here  IT  professionals  and  industry  experts 
share  10  tips  that  could  help  tech  workers  stay 
in  their  employers’  good  graces  and  avoid  being 
laid  off,  even  as  the  economy  begins  its  gradual 
recovery. 

Digin 

IT  workers  in  precarious  employment 
positions  need  to  take  on  extra  work, 
I  log  more  hours  and  essentially  show 
their  employers  they  want  to  be  there,  experts 
say.  With  budgets  remaining  flat  or  down,  IT 
managers  are  being  asked  to  assess  staff  for 
reductions  or  potential  outsourcing  options. 
You  don’t  want  to  be  the  employee  who  comes 
up  short  during  such  assessments. 

“One  key  thing  to  remember  is  that  when  IT 
organizations  are  doing  layoffs,  they  aren’t  look¬ 
ing  for  people  to  get  rid  of,  they  are  determining 
which  people  to  keep,”  says  Beth  Carvin,  CEO  of 
Nobscot,  a  maker  of  HR-related  software  based 
on  Kailua,  Hawaii.  “Take  initiative  and  do  things 
that  would  make  the  company  want  to  keep  an 
employee  like  you.” 

For  instance,  if  your  company  is  looking  into 
expanding  its  wireless  network,  study  up  on 
the  technology  and  offer  that  self-training  as  a 
resource.  Or  understand  what  skills  might  be 
missing  from  the  team  and  try  to  fill  the  gap  - 
without  being  asked. 

“When  I  first  started,  I  found  there  was  a 
shortage  of  server  load-balancing  expertise,” 
says  Colt  Mercer,  a  network  engineer  at  Citi¬ 
group  in  Dallas  and  a  Network  World  Google 
Subnet  blogger.  “I  spent  my  entire  first  week 
studying  server  load  balancing  and  when  an 
issue  came  up,  I  was  able  to  show  my  worth.” 

Follow  the  money 

IT  workers  should  know  what  sys¬ 
tems  and  projects  ultimately  will 
HI  drive  revenue  for  the  business.  And 
they  should  work  to  get  assigned  those  projects. 

“To  the  extent  they  can  influence  it,  IT  pros 
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should  land  themselves  on  revenue-generating 
or  customer-facing  projects,”  says  Sean  Ebner, 
regional  managing  director  for  IT  staffing  and 
recruiting  firm  Technisource.  “Internal  roles 
are  critical,  but  getting  aligned  with  customers 
and  those  activities  will  make  technical  workers 
more  valuable  to  business  managers.” 

If  business-related  projects  aren’t  immedi¬ 
ately  available,  some  advise  IT  workers  to  get 
involved  with  the  sales  team,  offering  up  their 
technical  know-how  to  help  them  close  deals 
with  potential  customers. 

“Tech  workers  can  go  above  and  beyond 
by  bringing  product  delivery  and  sales  closer 
together,  and  really  lift  morale  because  compa¬ 
nies  need  all  workers  coming  together  to  bring 
in  business,”  says  Michael  Kirven,  principal  and 
co-founder  of  IT  resourcing  firm  Bluewolf. 

Feed  your  brain 

Resources  may  be  scarce,  but 
experts  recommend  IT  pros  find 
I  low-cost  training  or  other  self-study 
options  to  expand  their  technical  knowledge  in 
ways  that  would  benefit  the  company  -  and  ulti¬ 
mately  themselves. 

“Technology  workers  need  to  be  professional 
managers  of  their  careers  and  in  bettering  them¬ 
selves,  their  employers  will  also  reap  rewards,” 
says  Yoh’s  Lawrence. 

Training,  self-funded  or  at  the  expense  of  the 
employer,  will  show  bosses  that  a  worker  not 
only  wants  to  be  on  staff,  but  is  still  interested 
in  advancing  his  career  with  that  particular 
company. 

“The  key  to  keeping  your  job  is  demonstrating 
your  return  on  investment.  You  cost  your  com¬ 
pany  a  certain  amount  of  money,  but  if  you  can 
show  you  are  gaining  value  at  no  cost  to  them 
and  that  your  knowledge  will  positively  impact 
the  bottom  line  in  either  cost  savings  or  revenue 
growth,  then  you  will  be  considered  an  asset,” 
says  Rich  Milgram,  CEO  of  Beyond.com,  an 
online  job  board. 

Become  a  business 
technology  expert 

It’s  not  just  something  people  say; 

I  IT  staffers  need  to  become  business- 
savvy  to  advance  their  careers  and  essentially 
keep  their  jobs. 

“It’s  been  said  often,  but  IT  really  needs  to  be  a 
business  enabler  and  not  a  problem  fixer,”  says 
Chris  Silva,  senior  analyst  at  Forrester  Research. 
“High-tech  workers  who  have  had  ‘business- 
sensitivity’  training,  meaning  they  don’t  talk  in 
technical  terms  to  the  business  managers,  will 
be  kept  longer  than  IT  pros  who  can’t  translate 
the  technology  directly  to  business  issues.” 


Coupling  technology  know-how  with  insight 
into  what  makes  a  business  succeed  can  help 
staffers  maintain  a  long  career. 

“We  eliminated  100  positions  in  technology 
last  year,  but  we  are  still  aggressively  hiring 
business  analysts,”  says  Perry  Rotella,  president 
of  Society  for  Information  Management  (SIM) 
New  York  and  CIO  and  senior  vice  president 
at  Moody’s.  “Training  our  technical  people  and 
having  them  understand  the  business  has  been 
a  long-term  strategy  for  us.” 


5  Think  cheap 

Headcount  reductions  are  often  an 
effort  to  cut  costs,  but  IT  pros  who 
I  prove  to  managers  they  can  find 
inexpensive  technology  and  reduce  costs  in- 
house  could  save  their  jobs. 

“Think  like  the  owner.  Don’t  waste  resources 
or  buy  things  that  really  aren’t  critical,”  Nob- 
scot’s  Carvin  says.  “Employees  that  are  efficient 
are  chosen  to  stay  over  those  that  act  irresponsi¬ 
bly  with  budgets.” 

IT  pros  should  not  only  check  price  tags,  but 
also  offer  cost-effective  alternatives  to  the  status 
quo.  Citigroup’s  Mercer  introduced  automation 
tasks  that  enabled  his  company  to  save  time  and 
money,  while  also  avoiding  downtime  caused  by 
human  error. 

“We  had  a  lot  of  mundane  tasks  and  I  knew  a 
few  scripting  languages  so  I  was  able  to  stream¬ 
line  workflows  and  become  valuable  in  terms  of 
our  automation  strategy,”  he  explains. 

6  Stay  away  from  the  drama 

Most  companies  have  a  bit  of  in¬ 
office  drama,  but  it’s  best  to  stay  far 
I  away  from  the  water  cooler  gossip 
during  tough  economic  times. 

“You  really  want  to  present  yourself  as  a  like¬ 
able  person,  a  great  citizen  at  work,”  says  Lori 
Gale,  president  of  online  job  board  FastLane 
Hires.  “Don’t  be  one  of  those  people  that  hangs 
around  the  water  cooler  gossiping  and  acting 
stressed  out.  You  will  call  attention  to  yourself 
for  the  wrong  reasons.” 

Be  optimistic,  adds  Lauren  Milligan,  resume 
expert/job  coach  at  ResuMAYDAY.com  in  Chi¬ 
cago.  “Everyone  has  problems,  including  your 
manager.  Don’t  become  an  added  source  of  prob¬ 
lems,”  she  says. 


7  Sell  yourself 

While  many  in  IT  aren’t  accustomed 
to  the  spotlight,  experts  recommend 
I  high-tech  workers  learn  how  to  sell 
their  skills  to  the  company. 

“Toot  your  own  horn.  This  is  not  the  time  for 
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HP  puts  the  net  pedal  to  the  metal 

An  inside  discussion  with  Marius  Haas,  the  man  calling  the  shots 


J9L  MARIUS  HAAS  is  senior  vice  president  and  general 
If  Mm.  manager  of  HP’s  ProCurve  Networking  business,  which 

was  recently  aligned  with  the  company’s  server,  storage  and 
services  businesses  under  HP’s  Technology  Solutions  Group, 
creating  an  approximately  $45  billion  unit.  Haas,  who  previously  served  as 
senior  vice  president  of  strategy  and  corporate  development,  is  charged  with 
shifting  the  network  business  into  overdrive.  Network  World  Editor  in  Chief 
John  Dix  caught  up  with  Haas  to  talk  about  the  market  and  his  plans. 


orchestration  and  automation  and  the  delivery 
of  different  services.  HP  has  the  management 
platform  that  allows  you  to  do  that. 

Then  there  is  the  question  of  how  customers 
want  to  consume  the  IT  capabilities.  Do  they 
want  to  own  it?  Rent  it?  Have  it  managed  by 
someone  else?  HP  can  deliver  on  any  of  those 
options  through  our  multiple  services  organi¬ 
zations.  So  all  of  that  coupled  together  lets  us 
address  a  broad  set  of  the  market. 


HP  seems  to  have  found  new  religion  about 
networking.  What  has  changed  and  what  are 
you  guys  doing  differently? 

With  ProCurve  we’ve  done  a  good  job  building 
up  a  mid-market  value  proposition  with  great 
technology  and  a  great  total  cost  of  ownership 
structure.  Last  November  I  was  tasked  with 
leading  the  ProCurve  organization  and  given 
the  charter  of  expanding  that  value  proposition 
into  the  enterprise.  We  knew  we  needed  to  have 
a  converged  fabric  strategy  for  storage,  net¬ 
working  and  compute,  and  the  ability  to  tie  it 
into  our  overall  management  scheme.  We  have 
the  technology  from  a  company  standpoint. 
We’re  actually  the  only  company  that  has  all 
those  components  in  its  portfolio.  And  when 
you  couple  that  with  the  economic  situation 
customers  are  facing,  and  the  fact  that  custom¬ 
ers  are  adamant  about  wanting  a  market 
alternative,  we  felt  the  timing  was  perfect  and 
we  said,  ‘OK,  time  to  invest  heavily  in  this  busi¬ 
ness.’  And  that’s  what  we’re  doing. 

After  you  arrived  and  got  the  lay  of  the  land, 
what  did  you  realize  you  had  to  do? 

It’s  a  total  addressable  market  of  about  $19  bil¬ 
lion,  and  today  we  only  cover,  from  the  number 
of  customers  we’re  touching,  about  25%  of  that. 
So  we  have  a  huge  opportunity  to  expand  our 
coverage  even  with  the  current  portfolio.  So  my 
most  important  priority  is  to  expand  my  reach. 

I  do  that  by  leveraging  every  asset  HP  has  from 
a  go-to-market  perspective,  invest  in  scaling 
the  Networking  sales  force  and  expanding  my 
channel  and  partner  ecosystem.  Priority  No.  2 
is  to  create  awareness  and  end  user  demand  for 
our  solutions.  So  that’s  the  low-hanging  fruit 
we’re  continuing  to  address. 

But  as  customers  demand  us  to  be  present  in 
more  and  more  of  the  stack,  we  need  to  invest 
in  expanding  the  portfolio.  Last  year  you  saw 
us  acquire  Colubris  Networks,  which  gave  us  a 
leading  edge  802.11n  wireless  capability.  Now 
we’re  one  of  the  only  companies  that  can  pro¬ 
vide  integrated  wired  and  wireless  technology 
under  one  management  pane  of  glass,  which 
solidifies  us  as  a  great  network  edge  solution 
for  virtually  any  customer.  And  we’ll  continue 


to  aggressively  expand  the  product  portfolio 
and  leverage  our  world-class  R&D  team. 

And  finally,  we’re  investing  in  integration 
with  the  other  parts  of  HP,  including  our  blade 
server  and  storage  guys.  So  alignment  and 
integration  of  the  different  R&D  streams  is  an 
area  we  clearly  see  opportunity. 


Are  you  going  forward  with  a  value  story? 
What’s  your  elevator  pitch? 

It’s  a  story  of  leading  edge,  standards-based 
technology  with  industry-leading  total  cost  of 
ownership  metrics.  But  we  also  have  an  indus¬ 
try-leading  warranty  that  many  others  are 
trying  to  copy.  If  you  dive  down  deep,  though, 
you  see  they’re  not  even  coming  close  because 
you  still  need  to  buy  incremental  software  and 
upgrade  packages  before  you  truly  get  what  we 
offer  today.  And  obviously  the  other  piece  is 
HP  is  a  company  that’s  got  unrivaled  breadth 
and  depth. 

What  advantage  does  being  part  of  a  gigantic 
computing  company  give  you  that  the  net-only 
guys  will  have  trouble  competing  with? 

The  list  is  long  but  let  me  note  a  few  things. 
There’s  a  reason  we’re  the  largest  IT  company 
on  the  planet.  We  spent  the  last  few  years  build¬ 
ing  up  size  and  scale  because  of  the  value  it 
brings  to  HP  and  the  customer.  So  the  broadest 
portfolio,  with  the  greatest  economies  of  scale, 
with  a  standards-based  compute  paradigm, 
and  we  deliver  leading-edge  technology  solu¬ 
tions  at  leading-edge  TCO  value  propositions. 

And  then  you  start  thinking  about  how  to 
manage  the  common  building  blocks,  about 


You  mentioned  network  edge  when  you  were 
talking  about  the  wireless  stuff.  Given  Cisco's 
dominance  in  switching,  is  your  plan  to  nibble 
away  at  certain  pieces  of  the  network? 

In  the  mid-market  we  have  an  excellent 
portfolio  and  feel  our  customers  are  satisfied 
with  what  we’re  delivering  end-to-end.  What 
we’re  doing  now  is  aggres¬ 
sively  expanding  to  address 
the  needs  of  all  enterprises. 
Those  enterprises  are 
saying,  ‘I  want  to  change 
my  economic  profile  from 
a  networking  standpoint.  I 
want  to  eliminate  complexity 
that  has  been  built  in  over  the 
years.  I  want  to  increase  asset 
utilization.  I  want  to  reduce 
costs.  I  want  to  increase 
flexibility  in  terms  of  how  I 
manage  my  infrastructure.  I  want  to  reduce 
my  footprint,  and  I  want  to  reduce  my  power 
consumption.’  So  when  they  look  at  how  we’ve 
been  able  to  help  them  in  most  of  the  other 
enterprise  categories,  they’re  saying  ‘Hey  HP, 
we  want  that  from  you  on  the  networking  side’. 

They  can  start  by  deploying  us  at  the 
network  edge  and  grow  comfortable  with  the 
interoperability  of  what  we  offer.  Seventy  [per¬ 
cent]  to  80%  of  the  time  we  are  brought  into 
heterogeneous  environments  and  customers 
see  how  easily  and  flexibly  the  solutions  inte¬ 
grate  with  minimal  management  disruption. 

And  with  a  total  cost  of  ownership  and  a  cost- 
savings  model  that  is  second  to  none,  custom¬ 
ers  then  start  to  say,  ‘Come  work  with  me  on 
what  my  future  network  fabric  ought  to  look 
like  and  together  let’s  start  tackling  the  more 
complex  mission-critical  environments  and 
do  it  in  standards-based  way  so  I  can  deploy 
pieces  when  I  feel  comfortable  based  on  my 
risk/investment  profile.’ 

So  it  becomes  a  journey,  a  partnership.  That’s 
compared  to  the  competition  selling  an  end- 
to-end,  closed,  proprietary  architecture  that 
forces  not  just  technology  convergence,  but 
also  organizational  convergence.  Customers 
are  telling  us  they  don’t  want  to  do  that. 


M  M  We  do  believe 
II  there  is  a  new 
computing  paradigm 
that  can  come  around 
from  a  networking 
standpoint.” 

MARIUS  HAAS,  SENIOR  VICE  PRESIDENT 
AND  GENERAL  MANAGER 
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We  hear  Cisco  is  matching  ProCurve  prices 
in  some  deals  and  you  guys  are  trying  to  get 
that  word  out. 

Well,  clearly  that  sends  a  signal  to  the  mar¬ 
ket  they’re  not  competitive.  So  our  position 

is,  why  not  let  the  rest  of  the  market  know? 

If  there’s  a  value  proposition  that  someone 
else  provides  that’s  greater  and  better,  then 
it  behooves  us  to  make  sure  that  every 
customer  out  there  is  aware  of  it.  And  that’s 
part  of  our  effort  to  increase  awareness. 

Cisco  is  entering  computing  with  its  Unified 
Computing  System,  arguing  that  integrat¬ 
ing  computing,  storage  and  networking  will 
lead  to  substantial  TCO  advantages.  Do  you 
agree  with  that  vision,  and  is  that  also  at 
the  heart  of  your  One  Alliance,  your  efforts 
to  work  with  software  vendors  to  create 
applications  for  ProCurve  environments? 
But  we’re  not  doing  it  the  way  they’re  doing 

it.  We’re  not  saying  customers  need  to  move 
into  a  converged  network/storage/compute 
fabric  with  a  proprietary  stack  that  locks 
you  into  a  10  year-plus  architecture  with  an 
as  yet  undefined  TCO  model. 

We’re  saying  we’ve  been  doing  this  for 
years.  We  know  what  the  compute  fabric 
looks  like,  the  storage  fabric,  and  we’re 
absolutely  investing  hard  in  the  network 
fabric.  And  we  believe  that  establishing 
your  data  center  on  a  holistic  and  integrated 
infrastructure,  which  includes  servers, 
networks,  storage  and  management,  using 
common  architectural  building  blocks,  is 
the  right  way  to  do  it. 

So  the  marketing  rhetoric  they’re  putting 
out  there  is  interesting,  but  we  decompose  it 
and  see  it’s  forcing  some  trends  customers 
don’t  want.  It  is  a  closed  architecture  with 
proprietary  Cisco  compute  technologies.  It 
doesn’t  scale  to  the  capabilities  we  have,  and 
it  doesn’t  have  overall  data  center  manage¬ 
ment  from  an  orchestration  and  automation 
standpoint,  including  identity  management 
and  policy  management.  Those  are  huge 
gaps  they’re  not  addressing. 

One  of  the  holes  in  your  product  portfolio 
is  at  the  high  end,  an  answer  to  the  Cisco 
Nexus.  Presuming  you’re  going  to  have  to 
address  that,  will  you  be  buying  or  building 
to  address  the  need? 

You  can  assume  I’m  looking  at  everything. 

I  view  the  window  of  opportunity  for  us 
as  now.  The  customer  base  is  saying  it 
wants  us  to  step  up  now.  So  we’re  looking 
at  everything  —  build,  partner,  buy.  What’s 
the  best  investment  profile  from  a  return 
standpoint,  not  just  for  our  sharehold¬ 
ers  but  for  our  customers?  So  you  should 
assume  that’s  the  pragmatic  approach  I’m 
taking. 

We’re  hearing  more  and  more  talk  about 
the  idea  of  de-layering  switch  architectures 


from  three  layers  to  two.  Is  this  something 
you're  looking  at? 

We’re  looking  at  a  model  we  call  VLL2,  a 
very  large  Layer  2  strategy,  to  see  how  that 
will  transform  the  way  the  network  gets 
deployed.  So  certainly,  we’re  looking  at 
all  the  different  capabilities  out  there  and 
saying,  ‘OK,  how  can  we  change  the  model 
to  increase  simplicity,  reduce  complexity, 
increase  bandwidth  and  decrease  latency? 
How  can  you  provision  devices,  even  for 
example,  storage  farms,  on  the  fly?  How  can 
you  deliver  that  all  in  a  radically  different 
cost  structure?’ 

We  do  believe  that  there  is  a  new  comput¬ 
ing  paradigm  that  can  come  around  from  a 
networking  standpoint. 

How  far  out?  A  couple  of  years? 

That’s  about  right. 

At  the  recent  Interop  you  announced  that 
you  were  investing  some  money  with 
Microsoft  to  tackle  unified  communications. 
How’s  that  going? 

We  announced  a  $180  million  dollar  joint 
investment  to  develop  and  deploy  unified 
communications  and  collaboration  solu¬ 
tions  based  on  Microsoft’s  communication 
capabilities  and  application  suites  and  HP 
infrastructure,  software  management  tools 
and  services.  The  goal  is  to  bring  unified 
communications  and  collaboration  to  the 
masses  in  a  simple  and  best  in  class  TCO 
model.  The  companies  are  excited  about  the 
opportunity  and  we’re  expanding  our  foot¬ 
print  in  the  regions  as  we  speak.  We’ve  got  a 
lot  of  training  going  on  everywhere  around 
the  world.  Receptivity  from  a  customer  base 
as  well  as  from  a  partner  community  has 
been  phenomenal. 

What  have  you  learned  from  this  dreary 
recessionary  period? 

Clearly  it’s  made  everyone  very  attentive 
as  to  where  every  dollar  is  being  spent.  In 
the  past  no  one  got  fired  for  buying  Cisco, 
but  I  think  that  phase  is  over.  People  are 
looking  at  this  line  item  in  their  IT  spend 
and  seeing  it  hasn’t  gone  down.  And  when 
they  decompose  the  margin  profile  of  the 
largest  industry  player  they’re  saying, 
‘That’s  unacceptable’.  So  they  want  change. 
They’re  looking  for  a  multiple  vendor  strat¬ 
egy  that  enables  true  competition  because 
it  makes  people  hungry  again  for  their 
business. 

Any  closing  remarks? 

We’re  following  what  our  customers  want 
us  to  do  and  we  have  great  technology  that 
can  be  delivered  in  the  way  the  customer 
wants,  with  a  great  value  proposition. 

That’s  why  I’m  excited.  That’s  why  I’m 
here,  because  it’s  a  market  that’s  looking  for 
change.  ■ 


■  Layoff .from  page  14 

humility.  In  the  current  business  arena  in  which 
everyone  is  stretched  thin,  make  sure  your  accom¬ 
plishments  are  noticed,”  says  Katie  Prizy,  commu¬ 
nications  specialist  at  IT  talent  provider  Instant 
Technology  in  Chicago. 

And  to  be  able  to  truly  demonstrate  their  contribu¬ 
tions  to  the  company,  IT  pros  need  to  be  able  to  mea¬ 
sure  what  their  work  has  added  to  the  bottom  line. 

“If  you  can’t  measure  your  own  success  and  be 
able  to  clearly  demonstrate  how  your  technology 
work  has  benefited  the  company,  then  you  can’t 
expect  managers  to  be  able  to  when  it  comes  time  to 
reduce  staff,”  Beyond.com’s  Milgram  says. 

Mentor  others 

Share  your  knowledge,  career  experts 
say. 

“IT  people  need  to  get  out  of  the 
knowledge-hoarding  mentality.  They  need  to  let 
people  know  what  they  know  and  share  the  knowl¬ 
edge  and  information  willingly,”  Carvin  says.  “That 
will  make  them  more  invaluable  to  employers.” 

Knowledge  can  be  a  powerful  thing,  and  sharing 
information  that’s  critical  to  a  company’s  technical 
success  will  impress  managers. 

“I  am  big  on  mentoring,  and  I  spend  a  lot  of  time 
training  others.  People  see  me  as  approachable  and 
come  to  me  with  questions,  asking  me  for  help,” 
Mercer  says.  “The  managers  notice  that  people  seem 
to  naturally  follow  me  and  I  assume  makes  them 
want  to  keep  me  here.” 

Make  yourself  available 

During  the  downturn,  some  groups  in  IT 
may  not  be  as  busy  as  others.  IT  pros  in 
I  the  groups  that  seem  slow  should  be  offer¬ 
ing  themselves  up  for  projects  in  other  departments. 

“If  companies  have  five  people  that  administer  the 
network,  but  one  of  them  also  knows  servers,  man¬ 
agers  might  get  rid  of  the  highly  specialized  worker 
in  favor  of  that  person  that  could  be  considered  an 
IT  generalist,  working  in  many  areas,”  says  Bryan 
Sullins,  principal  tech  trainer  at  New  Horizons  in 
Hartford,  Conn.,  and  a  Network  World  blogger.  “IT 
pros  that  won’t  cross  those  boundaries  are  hurting 
themselves.” 

Working  on  projects  outside  of  the  normal  routine 
is  valued  by  managers  —  and  also  helps  IT  workers 
add  to  their  skills. 

“One  thing  that  helps  is  to  be  willing  to  take  on  new 
challenges,  even  if  it  is  outside  of  your  normal  rou¬ 
tine.  I  once  had  to  project  plan  for  a  PBX  upgrade,  and 
I  learned  an  immense  amount  about  how  they  work,” 
says  Dwayne  Whitmore,  senior  systems  engineer  in 
the  technology  services  group  for  Carolinas  Health- 
Care  System  in  Charlotte,  N.C.  “The  knowledge  from 
that  project  helped  me  understand  VoIP  better.” 

Smile,  be  happy 

Never  underestimate  the  power  of 
a  positive  attitude. 

“The  person  who  with  a  smile 
takes  on  new  challenges  that  alleviate  some  of  the 
pains  of  the  management  team  will  become  invalu¬ 
able,”  Beyond.com’s  Milgram  says.  ■ 
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Thinking  outside  the  box 
depends  on  what’s  in  the  box. 

Today,  businesses  are  struggling  to  keep  up  with  the  energy  demands  of  their 
server  rooms.  This  isn’t  simply  a  question  of  cost.  It  is  increasingly  impacting 
day-to-day  operations.  A  recent  study  found  that  an  estimated  half  of  ail 
businesses  have  experienced  IT  outages  due  to  power  and  cooling  issues.1 

The  entire  architecture  of  the  IBM  BladeCenter®  HS22  is  designed  to  give  you 
greater  efficiency  at  every  level— from  its  highly  efficient  design  and  Intel®  Xeon® 
Processor  5500  Series  to  its  advanced  management  software,  such  as  IBM  Systems 
Director,  which  actively  monitors  and  limits  power  consumption.  Built-in  sensors, 
such  as  an  onboard  altimeter,  optimize  cooling  based  on  elevation.  All  of  which 
can  add  up  to  93%  in  energy  savings  over  the  previous  generation  of  rack  servers. 

Learn  how  you  can  see  a  return  on  your  investment  in  as  little  as  three  months2 
at  ibm.com/hs22 

Systems,  software  and  services  for  a  greener  planet. 


'Source:  IDC  Market  Analysis  #2 1 5870,  Volume  .1 ,  December  2008,  Worldwide  Server  Energy  Expense  2008-201 2  Forecast.  2Return  on  investment  and  power  savings  calculation  based  on  11:1  consolidation 
customer  configurations  and  environment.  For  more  information,  visit  www.ibm.com/smarterplanet/claims.  IBM,  the  IBM  logo,  ibm.com  and  BladeCenter  are  trademarks  of  International  Business  Machines 
copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  United  States  and  other  countries.  ©  International  Business  Machines 
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■  Satellites ,  from  page  1 

“We  think  every  organization  should  consider 
using  satcom  for  their  COOP  needs,”  Gallo  says, 
pointing  out  that  satellite  offers  excellent  redun¬ 
dancy  for  terrestrial  networks  and  can  be  used 
for  voice  and  data.  “Satellite-provided  backup 
can  really  be  cost-effective  insurance  for  when 
your  terrestrial  network  goes  down.  It’s  avail¬ 
able  at  a  low  cost,  and  you  can  surge  when  you 
need  it.” 

Among  the  companies  that  are  buying  satel¬ 
lite  services  to  back  up  terrestrial  networks  are 
Republic  National  Distributing  Co.  (RNDC), 
a  wine  and  liquor  distributor,  and  Roundtree 
Automotive,  an  Alabama  car  dealership. 

Companies  with  remote  locations  such  as  BP, 
ConocoPhillips  and  other  gas  station  chains  have 
traditionally  used  satellite  communications  for 
low-bandwidth  applications  such  as  credit  card 
authorizations  and  inventory  updates.  But  as 
the  satellite  capacity  over  the  United  States 
increases,  more  enterprises  are  considering  sat¬ 
ellite  for  broadband  and  mobile  applications. 

“There’s  always  been  demand  for  higher  band¬ 
width  satellite  solutions  from  enterprises...  The 
problem  has  been  the  supply,”  says  Christopher 
Baugh,  president  of  NSR,  a  market  research  firm 
specializing  in  satellite  and  wireless  services. 

Baugh  says  that  the  newest  satellites  from 
Hughes,  ViaSat  and  WildBlue  will  change  how 
CIOs  view  satellite  services  for  broadband  appli¬ 
cations,  particularly  COOP. 

COOP  is  “a  no-brainer  for  a  lot  of  enterprises 
that  need  100%  or  near  100%  uptime,”  Baugh 
says.  “This  has  been  talked  about  since  2005, 
after  Hurricane  Katrina.  That’s  when  disaster 
recovery  and  business  continuity  propelled 
itself  to  the  forefront.” 

The  new  economics  of  Satcom 

Enterprises  are  interested  in  satellite  communi¬ 
cations  because  it  has  gotten  faster,  less  expen¬ 
sive  and  more  reliable  over  the  last  five  years. 

“The  cost  of  satellite  service  has  come  way 
down,  and  it  will  continue  to  come  down,”  says 
Lisa  Scalpone,  senior  vice  president  for  business 
development  at  WildBlue,  a  residential  satellite 
broadband  service  that  is  available  to  enterprise 
customers  through  resellers.  “The  newest  satel¬ 
lites  offer  10  times  the  capacity  of  older  models 
but  at  the  same  cost.” 

For  example,  WildBlue  provides  a  Ka-band 
satellite  service  with  1.5Mbps  download  and 
256Kbps  upload  for  less  than  $80  a  month. 
WildBlue  has  been  selling  its  broadband  sat¬ 
ellite  service  to  residential  customers  for  four 
years,  and  it  has  attracted  400,000  customers. 

Although  WildBlue  doesn’t  offer  COOP  ser¬ 
vices  to  enterprises  directly,  the  company  says  it 
has  excellent  growth  potential. 

“Satellite  is  such  a  tremendous  resource  for 
continuity  of  operations  because  you  cannot 
take  out  the  core  infrastructure.  The  satellite  is 
22,000  miles  in  space.  Even  if  you  have  a  terror¬ 
ist  attack  or  a  massive  fire,  you  have  a  satellite  in 
the  sky  that  can’t  be  taken  out,”  Scalpone  says. 
“Even  if  the  end  user  site  is  destroyed,  you  can 


WildBlue  provides  a  Ka-band  satellite 
service  via  its  WildBlue-1  satellite,  which 
offers  1.5Mbps  download  and  256Kbps 
upload  for  less  than  $80  a  month. 

simply  bring  in  a  managed  gateway.  All  you  need 
is  a  power  supply.  You  can  run  it  on  battery.” 

Internet  Technology  Solutions  (ITS),  a  Wild- 
Blue  reseller  in  Centennial,  Colo.,  is  pitching  T-l 
backup  services  to  telecom,  energy  and  utilities 
companies  for  less  than  $2,000  a  year. 

“These  companies  have  two  things  in  com¬ 
mon:  they  have  to  have  connectivity  24-by-7, 
and  they  are  in  underserved  areas,”  says  Randy 
Thompson,  president  of  ITS.  “Right  now,  satel¬ 
lite  is  not  competitive  with  cable  modem.  But  it’s 
very,  very  inexpensive  compared  to  what  it  used 
to  be.  It’s  a  very  inexpensive  security  blanket  for 
backup  applications.” 

Next-generation  satellites  due  for  launch  in 
the  next  two  years  will  be  an  even  better  fit  for 
COOP. 

The  ViaSat-1  satellite,  due  for  launch  in  the 
first  half  of  2011,  will  have  another  10  times  the 
capacity  of  today’s  Ka-band  satellites  for  the 
same  cost.  ViaSat  calls  this  satellite  a  third-gen¬ 
eration  satellite,  following  in  the  footsteps  of  Ku- 
and  C-band  satellites  and  Ka-band  satellites. 

“These  third-generation  satellites  don’t  cost 
that  much  more  to  design,  build  and  launch  than 
the  second  or  the  first  but  they  have  10  times  the 
capacity  of  the  second  and  100  times  the  capac¬ 
ity  of  the  first,”  says  Kristi  Jaska,  vice  president  of 
strategy  and  marketing  for  commercial  satellite 
networks  at  ViaSat.  “They  become  much  more 
cost-competitive  with  other  technologies.” 

Jaska  says  ViaSat’s  new  satellite  will  provide 
up  to  20Mbps  download  speeds  for  enterprise 
customers. 

“Right  now  companies  are  using  DSL  or 
EV-DO  to  back  up  T-ls,”  Jaska  says.  “The  third- 
generation  satellites  bring  us  squarely  into 
the  mix  of  being  a  better  choice  than  DSL  for 
backup.” 

The  latest  satellites  eliminate  the  problem  of 
latency,  too,  by  adding  application  acceleration 
and  WAN  optimization  features. 

One  organization  that’s  embracing  satellite 
communications  for  network  redundancy  is  the 
Defense  Information  Systems  Agency  (DISA). 

Bruce  Bennett,  DISA’s  director  and  procure¬ 
ment  executive  officer  for  satellite  communica¬ 


tions,  teleports  and  services,  says  the  newest 
communications  satellites  offer  more  capacity 
and  more  of  them  are  being  launched  at  a  time, 
bringing  down  the  cost  for  broadband  service. 

“This  new  generation  of  satellite  communi¬ 
cations  is  going  to  have  a  significant  amount  of 
bandwidth  and  is  very  economical,”  Bennett 
says.  “It  will  be  a  third  of  the  cost  you  see  today, 
and  you  can  buy  it  on  the  spot.  You  can  get  guar¬ 
anteed,  variable  or  best-effort  kind  of  bandwidth 
so  it  becomes  very  economical  to  have  every¬ 
thing  backed  up.” 

In  the  United  States,  DISA  is  looking  at  a  satel¬ 
lite/wireless  combination  that  would  serve  as  a 
backup  to  its  terrestrial  networks 

“We’re  also  doing  a  lot  of  work  in  the  area  of 
using  satellite  as  a  front  end  for  major  wireless 
nodes  so  that  we  don’t  have  to  hook  up  to  the  ter¬ 
restrial  infrastructure,”  Bennett  says.  “We’re 
going  to  use  broadband  from  small  VSAT  ter¬ 
minals  and  then  feed  that  into  WiMAX  or  LTE 
for  backup.” 

DISA  encourages  other  enterprises  to  con¬ 
sider  satcom  to  improve  network  diversity  and 
reliability. 

“People  tend  to  only  think  about . . .  adding 
more  fiber  and  adding  more  routers.  They  don’t 
think  about  adding  different  layers  of  transport. 
Instead  of  more  terrestrial,  they  could  have  sat¬ 
ellite  or  wireless,”  Bennett  says. 

Hughes  Network  Systems  has  been  pro¬ 
moting  business  continuity  applications  for 
broadband  satellite  since  2005,  after  Hurricane 
Katrina  wiped  out  New  Orleans  and  surround¬ 
ing  areas. 

“After  9/11,  federal  agencies  started  to  recog¬ 
nize  the  need  for  redundant  communications, 
and  where  all  of  them  went  was  down  the  path 
of  awarding  contracts  to  two  terrestrial  carri¬ 
ers,”  says  Tony  Bardo,  assistant  vice  president 
for  government  solutions  at  Hughes.  “What 
Katrina  taught  us  is  that  nothing  could  be  fur¬ 
ther  from  the  truth.  Those  terrestrial  lines  came 
to  a  screeching  halt.  .  .  .  The  only  thing  that 
worked  was  satellite.” 

Bardo  says  it’s  been  easier  to  pitch  back-up 
satellite  services  since  spring  2008,  when 
Hughes  started  selling  services  from  its  newest 
satellite  dubbed  SPACEWAY  3.  That’s  because 
the  SPACEWAY  3  services  are  a  better  fit  for 
backing  up  MPLS  networks,  which  feature  dif¬ 
ferentiated  classes  of  service. 

“Our  story  is  one  of  speed,  and  it’s  a  lot  less 
expensive,”  Bardo  says.  “Now  these  services 
have  the  ability  to  match  up  well  with  terrestrial 
services  in  most  parts  of  the  country.” 

Hughes  offers  a  part-time  broadband  ser¬ 
vice  that  companies  can  buy  for  less  than  $150 
a  month.  This  service  is  like  an  insurance  plan 
that  companies  can  call  up  if  they  suffer  a  natu¬ 
ral  disaster  or  a  fiber  cut  that  eliminates  their 
Internet  access. 

“If  you  have  terrestrial  communications,  you 
do  have  single  points  of  failure,  and  it’s  often  in 
that  last  mile,”  Bardo  says.  “Even  if  you’re  buy¬ 
ing  from  two  carriers,  you’re  not  as  diverse  as 
you  think  you  are.”  ■ 
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A  F-resh  Approach 
to  IT  Asset  Management 


Maintaining  a  complete  inventory  of  your  PC  and  Servers  is  essential  but  nothing  new; 
managing  application  and  internet  usage  is  refreshing;  deploying  software  applications 
on  demand  is  definitely  time  saving;  but  managing  any  number  of  separate  networks 
over  the  internet...  now  that's  the  business. 


NetSupport  DNA  is  a  complete  modular  solution  that  delivers  Hardware  and  Software 
inventory  and  License  Management.  It  features  detailed  and  fully  customizable  Alerting, 
Application  and  Internet  Metering  /  Usage  Control  and  both  push  and  pull  Software 
Distribution  over  a  LAN  or  WAN.  NetSupport  DNA  now  also  provides  an  integrated 
communication  gateway  allowing  secure  interaction  with  your  assets,  anywhere,  over 
the  internet  without  the  need  for  a  VPN  or  changes  to  your  existing  network  or  firewall 
configuration. 


computing 

A  W  A  R  D  S  2  0  0  9 

SEtVICE  MAiMMMM  PROOUO  Of  THE  W 


With  a  new  Energy  Monitoring  component  helping  to  highlight  areas  of  potential 

energy  wastage  across  an  organization's  computers,  full  AD  integration,  optional  ITIL-  NfilWOH  CflUipiftiilO  pf  piMC 

based  Helpdesk  and  market  leading  Remote  Control,  there  has  never  been  a  better  awards  zoo*  |US» 

time  to  see  how  NetSupport  DNA  can  save  you  money  and  time.  Download  a  50  user 
trial  copy  today. 


For  more  information  and  to  download  a  free  trial  please  visit 

www.netsupportdna.com 


j  sales@netsupport-inc.com 


1  -888-665-0808 


www.netsupport-inc.com 


TRENDANALYSIS 


■  Ethernet ,  from  page  1 

to  be  coupled  with  lower  latency,  abandoning 
spanning  tree  and  support  for  the  new  storage 
protocols.  Networking  in  the  data  center  must 
evolve  to  a  unified  switching  fabric.” 

A  three-tier  architecture  of  access,  aggrega¬ 
tion  and  core  switches  has  been  common  in 
enterprise  networks  for  the  past  decade  or  so. 
Desktops,  printers,  servers  and  LAN-attached 
devices  are  connected  to  access  switches,  which 
are  collected  into  aggregation  switches  to  man¬ 
age  flows  and  building  wiring. 

Aggregation  switches  then  connect  to  core 
routers/switches  that  provide  routing  and  con¬ 
nectivity  to  WAN  services,  segmentation  and 
congestion  management.  Legacy  three-tier 
architectures  naturally  have  a  large  Cisco  com¬ 
ponent  —  specifically,  the  10-year-old  Catalyst 
6500  switch  —  given  the  company’s  dominance 
in  enterprise  and  data  center  switching. 

Cisco  says  a  three-tier  approach  is  optimal  for 
segmentation  and  scale.  But  the  company  also 
supports  two-tier  architectures  should  custom¬ 
ers  demand  it. 

“We  are  offering  both,”  says  Senior  Product 
Manager  Thomas  Scheibe.  “It  boils  down  to  what 
the  customer  tries  to  achieve  in  the  network.  Each 
tier  adds  another  two  hops,  which  adds  latency; 
on  the  flipside  it  comes  down  to  what  domain  size 
you  want  and  how  big  of  a  switch  fabric  you  have 
in  your  aggregation  layer.  If  the  customer  wants 
to  have  1,000 10G  ports  aggregated,  you  need  a 
two-tier  design  big  enough  to  do  that.  If  you  don’t, 
you  need  another  tier  to  do  that.” 

Blade  Network  Technologies  agrees:  “Two- 
tier  vs.  three-tier  is  in  large  part  driven  by  scale,” 
says  Dan  Tuchler,  vice  president  of  strategy  and 
product  management  at  Blade,  a  maker  of  blade 
server  switches.  “At  a  certain  scale  you  need  to 
start  adding  tiers  to  add  aggregation.” 

But  the  latency  inherent  in  a  three-tier 
approach  is  inadequate  for  new  data  center  and 
cloud  computing  environments  that  incorporate 
server  virtualization  and  unified  switching  fab¬ 
rics,  experts  say. 

Applications  such  as  storage  connectivity, 
high-performance  computing,  video,  extreme 
Web  2.0  volumes  and  the  like  require  unique 
network  attributes,  according  to  consultant 
Nick  Lippis.  Network  performance  has  to  be 
non-blocking,  highly  reliable  and  faultless  with 
low  and  predictable  latency  for  broadcast,  mul¬ 
ticast  and  unicast  traffic  types. 

“New  applications  are  demanding  predict¬ 
able  performance  and  latency,”  says  Jayshree 
Ullal,  CEO  of  Arista  Networks,  a  privately  held 
maker  of  low  latency  10G  Ethernet  top-of-rack 
switches.  “The  legacy  three-tier  model  doesn’t 
work  because  most  of  the  switches  are  10:1, 50:1 
oversubscribed,”  meaning  different  applications 
are  contending  for  limited  bandwidth. 

This  oversubscription  plays  a  role  in  the 
latency  of  today’s  switches  in  a  three-tier  data 
center  architecture,  which  is  50  to  100  micro¬ 
seconds  for  an  application  request  across  the 
network,  Layland  says.  Cloud  and  virtualized 
data  center  computing  with  a  unified  switching 


Fork  in  the  road 

Virtualization,  inexpensive  10G  links  and  unified  Ethernet 
switching  fabrics  are  catalyzing  a  migration  from  three-tier  Layer 
3  data  center  switching  architectures  to  flatter  two-tier  Layer  2 
designs,  which  subsume  the  aggregation  layer  into  the  access 
layer.  Proponents  say  this  will  decrease  cost,  optimize  operational 
efficiency  and  simplify  management. 


Three  tier  Two  ii<  r 


fabric  requires  less  than  10  microseconds  of 
latency  to  function  properly,  he  says. 

Part  of  that  requires  eliminating  the  aggrega¬ 
tion  tier  in  a  data  center  network,  Layland  says. 
But  the  switches  themselves  must  use  less  packet 
buffering  and  oversubscription,  he  adds. 

Most  current  switches  are  store-and-forward 
devices  that  store  data  in  large  buffer  queues 
and  then  forward  it  to  the  destination  when  it 
reaches  the  top  of  the  queue. 

“The  result  of  all  the  queues  is  that  it  can  take 
80  microseconds  or  more  to  cross  a  three  tier 
data  center,”  he  says. 

New  data  centers  require  cut-through  switch¬ 
ing  —  which  is  not  a  new  concept  —  to  signifi¬ 
cantly  reduce  or  even  eliminate  buffering  within 
the  switch,  Layland  says.  Cut-through  switches 
can  reduce  switch-to-switch  latency  from  15  to 
50  microseconds,  to  2  to  4,  he  says. 

Another  factor  negating  the  three-tier 
approach  to  data  center  switching  is  server  vir¬ 
tualization.  Adding  virtualization  to  blade  or 
rack-mount  servers  means  the  servers  take  on 
the  role  of  access  switching. 

Virtual  switches  inside  servers  takes  place  in  a 
hypervisor  and  in  other  cases  the  network  fabric 
is  stretched  to  the  rack  level  using  fabric  extend¬ 
ers.  The  result  is  that  the  access  switching  layer 
has  been  subsumed  into  the  servers  themselves. 

“In  this  model  there  is  no  third  tier  where  traf¬ 
fic  has  to  flow  to  accommodate  server-to-server 
flows;  traffic  is  either  switched  at  access  or  in  the 
core  at  less  than  10  microseconds, ’’Lippis  says. 

Because  of  increased  I/O  with  virtual  switch¬ 
ing  in  the  server  there  is  no  room  for  a  blocking 
switch  between  the  access  and  the  core,  says  Asaf 
Somekh,  vice  president  of  marketing  for  Voltaire, 
a  maker  of  Infiniband  and  Ethernet  switches.  “It’s 
problematic  to  have  so  many  layers.” 

Another  requirement  of  new  data  center 


switches  is  to  eliminate  the  Ethernet  spanning 
tree  algorithm,  Layland  says.  Currently  all 
Layer  2  switches  determine  the  best  path  from 
one  endpoint  to  another  using  the  spanning  tree 
algorithm. 

Just  one  path  is  active,  the  other  paths  through 
the  fabric  to  the  destination  are  only  used  if  the 
best  path  fails.  The  lossless,  low  latency  require¬ 
ments  of  unified  fabrics  in  virtualized  data  cen¬ 
ters  requires  switches  using  multiple  paths  to 
get  traffic  to  its  destination,  Layland  says.  These 
switches  continually  monitor  potential  conges¬ 
tion  points  and  pick  the  fastest  and  best  path  at 
the  time  the  packet  is  being  sent.  “Spanning  tree 
has  worked  well  since  the  beginning  of  Layer  2 
networking  but  the  ‘only  one  path’  [approach] 
is  not  good  enough  in  a  non-queuing  and  non¬ 
discarding  world,”  Layland  says. 

Finally,  cost  is  a  key  factor  in  driving  two- 
tier  architectures.  Ten  gigabit  Ethernet  ports 
are  inexpensive  —  about  $500,  or  twice  that 
of  Gigabit  Ethernet  ports  yet  with  10  times  the 
bandwidth.  Virtualization  allows  fewer  servers 
to  process  more  applications,  thereby  eliminat¬ 
ing  the  need  to  acquire  more  servers. 

And  a  unified  fabric  means  a  server  does  not 
need  separate  adapters  and  interfaces  for  LAN 
and  storage  traffic.  Combining  both  on  the  same 
network  can  reduce  the  number  and  cost  of 
interface  adapters  by  half,  Layland  notes. 

And  by  eliminating  the  need  for  an  aggrega¬ 
tion  layer  of  switching,  there  are  less  switches  to 
operate,  support,  maintain  and  manage. 

“If  you  have  switches  with  adequate  capac¬ 
ity  and  you’ve  got  the  right  ratio  of  input  ports 
to  trunks,  you  don’t  need  the  aggregation  layer,” 
says  Joe  Skorupa,  a  Gartner  analyst.  “What 
you’re  doing  is  adding  a  lot  of  complexity  and  a 
lot  of  cost,  extra  heat  and  harder  troubleshooting 
for  marginal  value  at  best.”  ■ 
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TECHUPDATE 

An  inside  look  at  technologies  and  standards 


Inside  dynamic  workload  mgmt. 


BY  KLAUS  OESTERMANN 


Dynamic  workflow  management  —  the 
ability  to  sense  changes  in  demand  and 
automatically  invoke  requisite  appli¬ 
cation  and  server  resources  to  meet 
new  workloads  —  is  quickly  becom¬ 
ing  a  fundamental  requirement  in  the  new  data 
center.  Besides  increasing  compute  efficiencies, 
the  technology  helps  overcome  the  shortage  of 
critical  data  center  resources  such  as  floor  space 
and  available  cooling  and  power  capacity. 

Resource  scarcity  stems  in  no  small  part  from 
a  long-standing  principle  of  data  center  design: 
Achieving  high  power  densities  has  always  been 
a  primary  goal  based  on  the  expectation  that 
overall  costs  should  be  proportional  to  floor 
space.  Naturally  this  led  to  the  construction  of 
relatively  modest-sized  data  centers. 

But  even  those  built  with  generous  amounts 
of  overhead  have  been  stretched  to  the  extreme 
in  the  face  of  prevailing  trends: 

■  Business  process  automation  and 
exploitation  of  Web  technologies 
has  led  the  average  business  to 
grow  its  total  server  count  by  10% 
per  year  over  the  past  decade. 

■  Data  center  consolidation  and  resource 
centralization  are  being  pursued 
to  reduce  operating  costs,  ease 
compliance  and  improve  security. 

■  Power  and  cooling  requirements 
for  servers  have  steadily  risen  in 
response  to  demand  for  systems 
with  higher  performance. 

And  on  top  of  everything  else,  energy  prices 
are  increasing  approximately  5%  per  year. 

Consequently,  many  organizations  are  scram¬ 
bling  to  build  new  data  centers  and/or  to  take 
advantage  of  progress  being  made  on  several 
fronts,  including  better  measurement  and  moni¬ 
toring  techniques;  improved  design  principles; 
and  high  efficiency  networking,  cooling  and 
power  conversion  equipment. 

There  is  little  doubt  that  maximizing  efficiency 
and  thoroughly  optimizing  a  data  center  is  best 
achieved  by  taking  a  comprehensive  approach. 
IT  management  should  pursue  improvements 
in  everything  from  governance  to  cooling  sys¬ 
tems,  power  distribution  and  conversion,  geo¬ 
graphic  location,  physical  layout  and  materials 
of  construction,  IT  equipment  and  operational 
management. 

The  problem,  however,  is  that  for  some  com¬ 
panies  the  issues  of  data  center  cost  and  capac¬ 
ity  limitations  are  already  critical.  They  simply 
have  nothing  left;  there’s  no  more  space  and  no 
more  power. 

For  these  shops,  taking  12  to  36  months  to 
implement  strategic,  long-term  solutions  is  not 


sufficient.  They  need  relatively  quick,  low-cost 
fixes  that  deliver  meaningful  gains  and,  ideally, 
remain  applicable  for  future  data  centers  the 
organization  builds  as  well.  Dynamic  workload 
management  has  the  potential  to  be  such  a  fix. 

The  objective  of  dynamic  workload  manage¬ 
ment  is  further  reduction  of  the  top  consumer  of 
data  center  resources:  servers. 

The  idea  is  to  alleviate  the  need 
to  have  dedicated  hardware  for 
intermittent  and  infrequent 
application  workloads. 

The  four  elements  required 
for  a  dynamic  workload  man¬ 
agement  solution  are:  a  server 
virtualization  capability,  a 
load  monitoring  capability,  an 
orchestration  capability  and  a 
load  distribution  capability. 

It  is  widely  accepted  that 
server  virtualization  technology 
can  be  used  by  organizations  to 
reduce  server  count.  The  ability 
to  host  dissimilar  workloads 
on  a  single  physical  server  enables  IT  shops  to 
avoid  the  all-too-common  scenario  where  80% 
of  servers  are  operating  at  relatively  low,  ineffi¬ 
cient  rates  of  utilization,  typically  5%  to  30%. 

Introducing  layer  of  abstraction 

Another  key  facet  of  virtualization,  however,  is 
that  it  introduces  a  layer  of  abstraction  between 
applications,  operating  systems  and  the  hard¬ 
ware  on  which  they  run.  In  other  words,  work¬ 
loads  can  be  run  without  concern  for  depen¬ 
dencies  the  applications  may  have  on  various 
elements  of  the  underlying  system,  such  as  BIOS 
version,  drivers  and  various  operating  system 
functions.  This  is  important  because  without 
abstraction,  implementing  dynamic  workload 
management  would  be  significantly  more  com¬ 
plex,  or  at  least  restricted. 

But  dynamic  workload  management  extracts 
additional  gains  from  traditional  server  virtu¬ 
alization  efforts,  beyond  the  initial  degrees  of 
consolidation  with  which  most  organizations 
are  familiar.  And  this  is  where  the  other  three 
components  come  in  to  play. 

On  the  surface,  the  role  of  the  load  monitor¬ 
ing  capability  appears  straightforward:  to  track 
status  and  utilization  levels  for  servers.  In  real¬ 
ity,  there  is  more  to  it.  In  particular,  the  visibility 
and  intelligence  must  also  be  sufficient  to  pro¬ 
vide  details  on  impending  resource  constraints, 
such  as  low  memory  or  disk  space,  and  the  rela¬ 
tionships  between  specific  workloads  and  serv¬ 
ers  —  which  applications  are  running  where. 

Next  up  is  the  orchestrator.  Armed  with  infor¬ 
mation  about  resource  constraints,  this  manage¬ 
ment  application  requests  the  virtualization 


infrastructure  to  spin  up  (or  down)  additional 
servers  —  which  can  otherwise  be  kept  powered 
off  —  and  provision  them  with  a  specific  work¬ 
load  when  applicable  thresholds  are  exceeded. 

The  final  element  is  one  that  is  often  over¬ 
looked:  having  an  upstream  traffic  manage¬ 
ment  device  on  the  job.  Upon  notification  that 
additional  servers  have  been 
spun-up,  this  device  ensures 
they  are  added  to  the  appropriate 
resource  pool,  adjusts  traffic  dis¬ 
tribution  patterns  accordingly, 
and  enforces  any  other  applicable 
traffic  management  policies. 

It  is  all  the  better  if  you  employ 
a  full-featured  application  deliv¬ 
ery  controller  to  fulfill  the  latter 
capability.  That  way  you  only 
need  a  single  device  to  provide 
both  the  load  monitoring  and 
load  distribution  capabilities. 
Server  count  can  be  lowered  even 
further  by  employing  the  deliv¬ 
ery  controller’s  offload  features. 
These  significantly  reduce  the  load  on  down¬ 
stream  servers  by  caching  frequently  requested 
content  and  unburdening  them  from  compute¬ 
intensive  tasks  such  as  encryption  and  session 
management. 

One  of  the  clearest  use  cases  for  dynamic 
workload  management  pertains  to  organiza¬ 
tions  that  operate  multiple,  large  Web  applica¬ 
tions.  Conventional  practice  in  this  case  is  to 
operate  extra  servers  on  a  per-application  basis 
to  address  both  high  availability  and  peak  load 
requirements.  With  dynamic  workload  manage¬ 
ment,  a  single  pool  of  extra  servers  can  instead 
be  shared  across  numerous  applications  -  eas¬ 
ily  reducing  the  total  number  of  backup/over¬ 
flow  servers  by  50%  or  more. 

Most  organizations  also  have  a  range  of  addi¬ 
tional  intermittent  and  infrequent  workloads, 
all  of  which  can  be  served  more  efficiently  using 
dynamic  workload  management.  And  in  a  data 
center  environment  where  every  inch,  BTU,  watt 
and  penny  counts,  the  resulting  savings  are  vir¬ 
tually  guaranteed  to  have  a  big  impact.  ■ 

Oestermann  is  vice  president  and  general 
manager  of  Citrix  Systems'  NetScaler  Product 
Group. 
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GEARHEAD  BY  MARK  GIBBS 


Managing  remote  desktop  management 


THERE  HAVE  BEEN  many  great  steps  forward  in 
the  world  of  computing:  The  mouse,  the  desktop 
and  folder  metaphor,  object-oriented  languages 
and  . . .  well,  the  list  is  long  and  highly  debatable.  I  would  like  to  offer 
another  entry:  Remote  desktop  access  technology. 

When  I  were  a  young  un’  the  only  remote  access  you  had  was  Telnet  and 
you  had  to  walk  uphill  both  ways  with  barbed  wire  ‘round  your  feet  to  get 
anything  done.  But  I  digress. 

Today,  we  have  a  variety  of  technologies  that  allow  us  to  remotely  access 
graphical  desktops  and  see  more-or-less  exactly  what’s  going  on. 

So,  what  are  your  choices?  Well,  there  are  quite  a  few  products  (http:// 
tinyurl.com/q3gdzb )  to  choose  from,  with  the  majority  based  on  either 
Microsoft’s  proprietary  Remote  Desktop  Protocol  (RDP)  or  something 
called  RFB  (remote  framebuffer),  which  was  developed  in  1998  by  the  now 
defunct  Olivetti  Research  Laboratory. 

The  details  of  RDP  used  to  only  be  available  under  license,  but  when 
Microsoft  started  (grudgingly)  to  embrace  openness,  it  made  the  details 
(http://tinyurl.com/ryt7pu  )  available  under  its  Open  Source  Interoper¬ 
ability  Initiative. 

In  contrast,  the  RFB  protocol  specification  has  been  open  and  free  since 
its  inception.  A  more  ambitious  version  of  the  documentation  is  also 
available. 

The  two  protocols  are  different  architecturally.  While  RDP  is  built  into 
all  Windows  operating  systems  as  a  kernel-level  driver  that  sends  display 
primitives  for  a  Windows  RDP  client  to  render,  RFB  is  layered  on  the  top  of 
the  system  and  sends  compressed  images  of  screen  updates  to  a  RFB  client 
to  render  independently  of  the  underlying  operating  system.  This  means 
that  RDP  is  Windows-specific  while  RFB  operates  cross-platform. 


If  your  shop  is  like  most  IT  operations  you  probably  use  products  that 
are  based  on  both  protocols  and,  where  RFB  is  concerned,  you  probably 
use  some  flavor  of  Virtual  Network  Computing  (VNC  is  both  the  name  of 
a  product  line  and  an  implementation  of  RFB).  There  are  scores  of  VNC- 
derived  products  available,  mostly  for  free,  and  they  all  interoperate 
because  they  are  all  RFB-based.  How  weird  is  that? 

Now,  if  you  have  a  lot  of  remote  machines  to  manage  then  you  really 
need  something  to  make  your  life  easier  and  I  have  just  the  tool  for  you: 
VNCScan  Enterprise  Network  Manager  for  VNC  and  RDP  published  by 
Bozteck  Software.  VNCScan  is  not  only  a  directory  and  launcher  of  your 
VNC  and  RDP  desktop  connections,  it  can  also  capture  remote  screen  shots 
into  thumbnails,  execute  scripts  on  remote  computers,  install  and  update 
remote  VNC  server  components,  monitor  the  up/down  state  of  VNC  and 
RDP,  and  ping  for  availability  and  uptime.  As  the  company  claims,  “VNC¬ 
Scan  is  like  the  Swiss  Army  Knife  for  anyone  who  manages  computers  on 
a  network.” 

The  VNCScan  user  interface  allows  you  to  group  remote  machines 
(very  useful  for  managing  large  numbers  of  devices)  and  logs  all  connec¬ 
tion  activities. 

My  only  complaint:  VNCScan’s  documentation  isn’t  well  organized;  it’s 
a  series  of  well-written  articles  but  they  aren’t  ordered.  On  the  other  hand, 
I  noticed  something  that  Bozteck  has  in  its  support  articles  that  few  com¬ 
panies  bother  with:  details  about  which  files  need  to  be  backed  up  and  how 
to  restore  them.  Very  smart. 

What  is  crazy  about  VNCScan  is  its  price:  $59  for  a  single  admin  license 
and  $995  for  a  full  site  license.  VNCScan  gets  a  rating  of  4.5.  S$ 

Gibbs  is  remote  in  Ventura,  Calif.  Access  him  at  gearhead@gibbs.com. 


COOLTOOLS  BY  KEITH  SHAW 

Vacation  Internet  better  than  ever? 


A  TREK  IN  the  family  truckster  from  the  Boston 
area  down  to  Myrtle  Beach,  S.C.,  last  week  not 
only  gave  me  the  chance  for  rest  and  relaxation, 
but  also  the  opportunity  to  test  out  some  Internet  access  devices. 

I  decided  to  bring  a  laptop  on  the  trip  for  general  Web  access,  but  I 
didn’t  know  what  the  Internet  access  options  would  be  like  during  the 
road  trip  and  at  our  vacation  spot. 

There’s  good  news  on  that  front  —  I’m  used 
to  business  travel  where  hotels  charge  up  to 
$15  or  more  for  24  hours  of  Internet  access, 
both  wired  and  wireless.  So  it  was  a  pleasant 
surprise  to  see  that  many  motor  lodges  and 
non-business  hotels  (scattered  along  Interstate  95)  offer 
free  Wi-Fi  to  guests.  Still,  there  were  some  spots  along 
the  way  where  a  3G  wireless  card  was  necessary,  so  it 
was  nice  that  I  had  these  two  other  options  to  test. 

The  scoop:  Sprint  Mobile  Broadband  2-in-l  Card 
(Sierra  Wireless  AirCard  402),  about  $300  ($100 
after  various  rebates),  plus  service,  on  Sprint’s 
network. 

What  it  is:  This  card  claims  to  be  two  cards 
in  one,  but  it’s  really  just  one  Internet  access 
card  that  can  fit  into  two  different  slots  —  either  the 
notebook’s  PC  Card  or  the  ExpressCard  slot,  which  you 
can  find  on  newer  notebooks.  The  card  accesses  Sprint’s  Mobile 
Broadband  network  (3G  wireless),  and  includes  GPS  capability  with  bun¬ 
dled  software  that  lets  you  know  where  you  are  while  you’re  on  the  road. 

Why  it’s  cool:  I  liked  having  the  ability  to  use  this  card  on  an  older 


notebook,  as  well  as  the  newer  notebook  that  only  had  an  ExpressCard 
slot.  It  was  also  nice  that  I  could  insert  the  card  and  the  software  would 
automatically  install  —  gone  are  the  days  of  CD  installation  with  the  pos¬ 
sibility  of  messing  up  if  you  put  the  card  in  before  you  were  supposed  to. 
Grade:  ★★★★(out  of  five  stars) 

The  scoop:  Broadband2Go,  by  Virgin  Mobile  USA,  about 
$150  (plus  pre-paid  megabyte  plan). 

What  it  is:  Prepaid  wireless  access  on  cell  phones 
has  been  around  for  many  years,  but  it  hadn’t  crossed 
over  to  the  broadband  data  side  until  now.  The  Broad- 
band2Go  package  from  Virgin  Mobile  USA  offers  a  Nova- 
tel  Wireless  USB  modem  (the  Ovation  MC760)  and  a  quick 
plug-and-play  installation.  Instead  of  a  monthly  plan,  users 
buy  a  bunch  of  megabytes.  For  $10,  you  get  10  days  of  access 
and  100MB.  For  $60,  it  increases  to  30  days  and  1GB  of  space. 
Why  it's  cool:  A  lot  of  workers  don’t  travel  enough  to  justify  a 
monthly  contract  for  other  broadband  cards.  For  example,  I  travel 
only  a  couple  of  times  over  a  six-month  period,  with  some  months 
where  I  don’t  need  broadband  access  at  all.  For  those  travelers,  a  prepaid 
broadband  plan  makes  sense.  Like  the  phone  plans,  users  can  “top  off” 
and  add  minutes  via  cash  (buying  top-off  cards),  credit  or  debit  cards. 

Some  caveats:  Installation  was  easy,  but  I  had  difficulty  activating  the 
initial  modem  (activating  via  the  lxRTT  network  timed  out  the  site  many 
times).  Also,  the  $150  price  tag  should  come  down. 

Grade:  ★★★^ 

Shaw  can  be  reached  at  kshaw@nww.com. 


Sprint’s  mobile 
broadband 
card  has  GPS 
capability. 
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I  CLEAR  CHOICE  TEST  DATA  LOSS  PREVENTION 

Block  data  leaks  at  the  endpoint 

TrendMicro,  Websense  offer  effective  protection  against  insider  security  breaches 


BY  BENJAMIN  BLAKELY,  MARK  RABE  AND  JUSTIN  DUFFY 


t  almost  goes  without  saying  that  the  greatest  threat  to  the  security  of 
an  enterprise  network  often  comes  from  within.  Security  professionals 
can  shore  up  their  borders,  lock  down  their  devices  and  search  bags  on 
the  way  out,  but  there  might  never  be  a  way  to  be  100%  certain  that  an 
employee  is  not  abusing  access  to  sensitive  data. 

Endpoint  data  loss  prevention  (DLP)  products,  which  can  be  installed  on 
desktops,  laptops  or  servers,  are  designed  to  restrict  the  actions  of  users,  if 
not  their  access.  For  example,  Larry  in  accounting  might  need  access  to  the 
Social  Security  numbers  of  employees,  but  should  he  really  be  e-mailing 
them  to  China?  The  Holy  Grail  of  DLP  is  to  permit  users  to  do  exactly  what 
they  need  to  do,  without  allowing  them  to  do  anything  that  may  pose  a  risk. 
That’s  a  tall  order,  but  the  products  tested  in  this  review  impressed  us  with 
their  sophistication,  feature  set  and  ease  of  use. 

This  is  the  second  in  a  series  of  reviews  of  DLP  products.  The  first 
focused  upon  perimeter-based  DLP  tools.  A  test  of  end-to-end  DLP  prod¬ 
ucts  is  next. 

In  this  test,  the  three  endpoint  DLP  products  were:  Data  Endpoint  from 
Websense,  LeakProof  from  TrendMicro,  and  Identity  Finder  Enterprise 
Edition  from  Identity  Finder.  Invitations  were  also  sent  to  Cisco,  McAfee, 
CA,  RSA,  Symantec,  Verdasys,  Safend,  Code  Green,  Indorse,  Proofpoint, 
nexTier,  Vericept,  GTB  and  Workshare,  but  those  vendors  decided  not  to 
participate. 

The  basic  idea  for  this  test  was  to  identify  various  types  of  sensitive  data 
and  to  see  whether  the  endpoint  DLP  could  stop  that  data  from  being  exfil- 
trated  via  a  variety  of  methods,  including  saving  to  a  USB  drive,  burning 


to  a  disk,  printing,  sending  via  Webmail  or  sending  via  instant  message.  In 
all,  we  conducted  588  tests. 

TrendMicro’s  LeakProof  is  our  Clear  Choice  Test  winner,  as  the  best 
general-purpose  endpoint  DLP  tool  of  the  three.  Configuration  was  pain¬ 
less,  performance  was  the  best,  it  was  the  least  obtrusive  and  it  enforced 
policies  across  the  entire  system.  It  was  also  the  most  consistent  across 
operating  systems  and  exfiltration  methods.  Plus,  the  installation  options 
of  a  physical  appliance,  bare-metal  install,  or  VMware  appliance  provide 
deployment  flexibility. 

Websense’s  Data  Endpoint  is  a  powerful,  feature-rich  product  that  gives 
administrators  the  ability  to  draw  on  a  large  selection  of  policy  templates, 
to  script  custom  actions  upon  detection,  to  tailor  actions  per-application, 
and  to  schedule  fingerprinting  of  files  in  a  network  share.  Data  Endpoint, 
part  of  Websense’s  Data  Security  Suite,  has  a  more  elaborate  feature  set 
than  TrendMicro’s  LeakProof,  and  it’s  considerably  less  expensive.  But  it 
also  has  a  few  rough  edges. 

Both  of  these  products  are  aimed  at  keeping  data  from  leaving  the  end¬ 
point,  whether  it  be  intentional  or  accidental.  Practically  speaking,  acci¬ 
dental  removal  is  probably  where  the  money  is  at,  as  a  determined  user 
could  probably  find  ways  around  many  of  the  blocking  schemes. 

Identity  Finder  does  not  attempt  to  keep  users  from  doing  naughty 
things  with  sensitive  data,  but  rather  tries  to  help  users  protect  sensitive 
data  they  possess.  This  is  a  very  different  philosophy  —  trusting  that  users 
will  do  the  right  thing  instead  of  assuming  they  are  trying  to  do  the  wrong 
thing. 

Identity  Finder  still  features  centralized  control  and  logging,  but  gives 
users  remediation  options  when  a  sensitive  item  is  found.  It  focuses 


NETRESULTS 

Product 

Identity  Finder  Enterprise  Edition 

Data  Endpoint 

LeakProof 

Vendor 

Identity  Finder 

www. identityfinder.com/ 

Products/ldentity_Finder_ 

Editions Enterprise.html 

Websense 

www.websense.com/content/ 

DataSecurity.aspx 

TrendMicro 

http://us.trendmicro.com/us/ 

products/enterprise/leakproof/ 

Price 

$5,000,  plus  $29.95  per 
user  for  1,000  users. 

$17.50  per  user  per  year 
for  1,000  users. 

$65.99  per  user  for  1,000  users. 

Pros 

Very  informative  for  user. 

Excellent  remediation 
functionality.  User- 
friendly  interface. 

Easy  to  install,  configure,  deploy 
and  manage.  Minimal  impact 
on  system  performance  in 

Windows  XP,  Server  2003  and 
Server  2008.  Great  support. 
Feature  rich  and  powerful. 

Excellent  blocking  capabilities. 
Preconfigured  appliance  makes 
initial  setup  simple.  Can  create 
conditional  rule  chains  that  only 
trigger  an  action  when  a  certain 
combination  of  events  occurs. 

Cons 

Does  not  block  data,  only  identifies 
data  that  should  be  secured. 
Requires  additional  software  for 
management  client.  Centralized 
policy  configuration  is  daunting. 

Can  only  detect  identity-related 
information.  Installation  process 
could  use  some  polish.  False 
positives  from  Windows  DLLs 
and  other  program  files. 

Application-centricity  means 
admins  could  end  up  in  an 
arms  race  with  users  who  find 
new  applications  to  open  data 
that  violated  policy.  Could  use 
polish  on  interaction  with  the 
user.  Inconsistent  reactions 
to  policy  violations.  Unable 
to  catch  paragraph  or  smaller 
chunks  of  fingerprinted  data. 

Initial  setup  of  the  appliance  did 
not  conform  to  the  quick-start 
guide  —  had  to  rely  on  RedHat 
skills  to  get  it  on  the  network. 

Unable  to  restrict  blocking  to 
particular  applications  beyond 
what  is  already  defined  in  the 
management  console.  Unable 
to  catch  page-sized  or  smaller 
chunks  of  fingerprinted  data. 

Score 

2.5 

3.75 

3.9 
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principally  upon  identity-related  information,  such  as  names,  addresses, 
Social  Security  numbers,  credit  card  numbers  and  other  personal  data. 
However,  it  supports  the  use  of  regular  expression  matching,  which  allows 
for  more  generic  matching,  if  desired. 

Data  discovery  differences 

The  traditional  method  of  data  discovery  is  to  crawl  every  file  share  that 
can  be  reached  for  the  data  in  question.  Data  Endpoint  and  LeakProof  can 
both  discover  data  in  this  manner,  if  discovery  alone  is  needed  for  a  system, 
or  if  installing  the  endpoint  agent  is  not  feasible.  However,  recognizing  that 
enabling  file  sharing  on  every  device  in  a  network  could  have  some  unin¬ 
tended  side  effects,  these  products  can  perform  discoveries  on  endpoints 
via  the  software  agent  without  file  sharing  enabled. 

Identity  Finder’s  scanning  is  performed  on  the  local  system,  and  any 
sensitive  files  it  identifies  are  reported  to  the  management  console.  After 
the  scan  is  finished,  if  the  endpoint  user  has  write  access  to  the  scanned 
files,  the  Data  Endpoint  and  Identity  Finder  agents  have  the  option  to  reset 
the  file  access  times  to  what  they  were  before  the  scan. 

Combine  this  with  the  stealth  mode  in  Data  Endpoint,  and  discovery 
becomes  nearly  undetectable  (at  least  for  ordinary  users).  Data  Endpoint 
boasts  an  additional  perk  to  ensure  that  network  discoveries  do  not  pose 
an  inordinate  burden  on  the  network  or  any  device:  the  ability  to  throttle 
network  throughput  available  to  the  discovery  process. 

Fingerprinting  for  the  masses 

Fingerprinting  functionality  stands  out  in  these  products.  Typically  in 
DLP  products,  the  fingerprinting  process  is  limited  to  a  few  users  who  are 
allowed  to  log  in  to  the  management  console,  submit  a  file  for  fingerprint¬ 
ing,  and  then  enable  that  fingerprint  for  detection.  Data  Endpoint  and 
LeakProof  strip  away  these  layers  and  let  ordinary  users  determine  which 
information  should  be  protected  by  running  scheduled  fingerprints  of  all 
items  in  a  network  share.  Of  course,  the  administrator  can  still  manually 
fingerprint  files,  and  can  also  configure  a  scheduled  fingerprint  scan  of  a 
network  share. 

If  your  accountant  has  a  spreadsheet  that  shouldn’t  be  allowed  to  leave 
the  network,  all  he  has  to  do  is  drop  that  into  this  network  share.  Upon  the 
next  fingerprint  scan  (which  is  on  a  schedule  determined  by  the  adminis¬ 
trator),  this  new  file  will  automatically  be  fingerprinted  and  woven  into 
the  DLP  policy. 

TrendMicro  says  it  uses  a  unique  fingerprinting  method  inspired  by 
human  fingerprints.  This  enables  LeakProof  to  identify  a  document,  even  if 
a  large  portion  of  it  has  been  changed.  For  this  test,  the  only  content  change 
performed  was  a  minor  one,  so  this  functionality  was  not  fully  tested. 

Violators  will  be  punished 

The  hardest  decision  for  an  endpoint  protection  product  is  what  to  do 
when  a  violation  is  detected.  Data  Endpoint  and  LeakProof  both  support 
the  ability  to  block  the  action,  ask  the  user  to  confirm  or  justify  the  action, 
send  notification  to  an  administrator,  and  log  the  violation.  However,  each 
offers  something  the  other  doesn’t. 

Data  Endpoint  gives  the  power  to  run  a  custom  script  on  the  item  —  per¬ 
haps  moving  it  to  a  secure  location  and  leaving  a  notification  message  in  its 
place,  or  encrypting  the  file.  The  only  limit  is  the  administrator’s  scripting 
ability. 

On  the  other  hand,  LeakProof  has  the  capability  to  gather  more  infor¬ 
mation  from  the  user.  LeakProof  gives  the  option  to  request  a  justifica¬ 
tion  for  the  action,  instead  of  just  a  ‘yes’  or  ‘no’  allow  decision,  as  in  Data 
Endpoint. 


SCORECARD 


Product 

Identity 

Finder 

Data 

Endpoint 

LeakProof 

Action 

Weight 

Performance 

60% 

2 

3.5 

4 

Management 

20% 

3 

4 

4 

Features 

10% 

4 

4.5 

4 

Documentation 

10% 

3 

4 

3 

Total  score 

2.5 

3.75 

3.9 

SCORING  KEY:  5:  EXCEPTIONAL;  4:  VERY  GOOD;  3:  AVERAGE; 
2;  BELOW  AVERAGE;  1:  SUBPAR  OR  NOT  AVAILABLE 


To  be  clear,  either  of  these  options  is  only  available  to  the  user  when  the 
confirmation  response  is  selected  instead  of  the  block  response.  Both  Data 
Endpoint  and  LeakProof  can  be  completely  silent  about  blocking  the  activ¬ 
ity.  The  user  might  never  know  the  agent  is  on  the  system. 

Identity  Finder  gives  the  user  options  about  what  to  do  with  a  discovered 
sensitive  file.  The  user  may  move  it  into  an  encrypted  file  vault  (maintained 
by  Identity  Finder);  shred  the  file  any  number  of  times;  quarantine  the  item 
to  a  secure  location;  or  if  the  file  is  a  text  file,  Office  2007  file  or  PDF,  scrub 
the  offending  items  from  the  file.  We  were  only  able  to  verify  the  scrub¬ 
bing  functionality  for  text  files.  The  central  console  controls  the  selection 
of  these  features  that  are  available  to  the  user. 

A  feature  that  left  us  somewhat  on  the  fence  was  Data  Endpoint’s  appli¬ 
cation-centric  policy  configuration.  While  this  gives  a  very  fine  level  of 
control  to  the  administrator,  it  leaves  one  open  to  a  constant  stream  of  new 
applications  that  must  be  detected  and  added  to  the  policy.  In  an  environ¬ 
ment  where  users  are  not  allowed  to  install  software,  this  might  be  less  of 
an  issue. 

Another  potential  downside  is  that  if  an  administrator  wishes  to  con¬ 
trol  copying  to  network  shares,  unauthorized  internal  hard  drives  or  other 
folders  on  the  same  drive,  he  must  block  Explorer.exe’s  access  to  sensitive 
files.  Obviously  this  will  create  some  issues,  as  Windows  will  be  cordoned 
off  from  them. 

Installation 

None  of  the  installations  was  particularly  difficult,  though  they  all  had 
their  minor  shortcomings. 

Websense  requires  both  Oracle  and  MS  SQL  to  be  installed  on  the  sys¬ 
tem,  as  well  as  .Net  3.5.  Fortunately,  these  items  were  all  bundled  with 
the  installation  files  provided,  and  their  installation  was  wrapped  into  the 
installer.  We  had  to  manually  extract  the  installer  files  for  Oracle  and  MS 
SQL  and  then  instruct  the  installer  where  to  find  them.  Considering  the 
items  are  all  bundled  together,  this  seems  like  something  that  could  be 
automated.  After  installation,  the  management  console  was  used  to  input 
the  licensing  information  provided  by  Websense. 

Data  Endpoint  includes  a  utility  to  build  installation  packages  for  the 
endpoint  software.  In  this  utility,  the  administrator  specifies  the  IP  address 
of  the  management  server  and  a  couple  of  other  parameters.  From  this 

See  DLP,  page  30 
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information,  Data  Endpoint  builds  a  customized  installer  package  that 
can  be  used  to  deploy  the  agent  to  the  clients.  For  this  test,  the  files  were 
copied  to  the  clients  and  manually  installed. 

TrendMicro’s  LeakProof  installation  was  eased  by  the  fact  that  a  physi¬ 
cal  appliance  was  used,  instead  of  a  software  installation.  However,  the 
installation  documentation  was  somewhat  lacking.  The  quick  start  guide 
that  shipped  with  the  product  contained  a  port  diagram  that  did  not  match 
the  configuration  of  ports  on  the  PowerEdge  1950  that  was  used.  Also,  the 
user  name  and  password  on  the  sheet  did  not  work.  An  e-mail  to  support 
returned  an  updated  quick  start  guide  containing  a  working  login  (though 
the  port  diagram  was  still  incorrect).  This  guide  mentioned  a  configura¬ 
tion  utility  that  was  apparently  supposed  to  start  at  first  login,  but  did  not 
give  the  name  of  the  command  to  start  it  by  hand.  Since  the  utility  did  not 
start  on  first  login,  network  configuration  had  to  be  performed  manually. 
Fortunately,  the  system  is  built  upon  CentOS  (a  free  RedHat  clone),  which 
we  were  familiar  with. 

From  this  point  on,  sailing  was  relatively  smooth  for  LeakProof’s  instal¬ 
lation.  The  endpoint  agent  installer  was  command  line  driven,  requiring 
the  administrator  to  specify  the  IP  address  of  the  management  server. 
Deployment  via  Active  Directory  or  System  Center  Configuration  Man¬ 
ager  are  also  advertised,  but  were  not  tested. 

Identity  Finder’s  installation  process  was  about  average.  No  major  prob¬ 
lems  were  encountered,  but  we  had  to  manually  install  .Net  3.5,  Microsoft 
Report  Viewer  2008  and  IIS  6.0  or  better  before  the  installer  would  con¬ 
tinue.  Since  the  first  two  are  freely  available,  and  the  third  is  a  Windows 
component,  this  process  could  definitely  be  automated.  After  installation, 
the  license  file  needed  to  be  manually  copied  into  the  directory  containing 
the  management  console  executable. 

The  Identity  Finder  installer  also  created  a  registry  file  that,  along  with 
the  installer  and  license  files,  needed  to  be  copied  to  the  clients.  The  reg¬ 
istry  file  needed  to  be  manually  executed  to  add  the  management  server 
information  to  the  registry,  and  then  the  installer  could  be  executed  from 
the  command  line. 

Configuration 

LeakProof  and  Identity  Finder’s  management  server  configuration  is  done 
entirely  from  a  Web  console.  Data  Endpoint  has  a  Web  console  for  policy 
and  profile  management,  but  also  a  separate  MMC  snap-in  for  manage¬ 
ment  of  the  server  itself.  Websense  is  working  towards  unifying  this  into 
a  single  Web-based  console. 

Data  Endpoint  for  the  most  part  had  the  easiest-to-use  configuration, 
other  than  being  split  into  two  interfaces.  After  an  orientation  from  an 
engineer  at  Websense,  we  were  able  to  navigate  comfortably  around  the 
interfaces.  That  said,  a  couple  of  the  test  items  required  additional  support 
to  fully  configure.  Initial  policy  configuration  is  a  breeze  with  the  Policy 
Wizard.  This  tool  asks  the  administrator  what  type  of  organization  is  using 
the  product  (for  example,  government,  finance,  healthcare,  education)  and 
in  which  locality  the  product  is  to  be  used.  It  then  tailors  a  (long)  list  of 
available  templates.  For  this  test,  only  the  HIPAA  and  PCI  templates  were 
used,  but  many  others  could  have  been  enabled. 

After  the  initial  configuration  of  policy  profiles,  the  administrator  moves 
over  to  the  Web  interface  to  configure  profiles  for  protection.  This  test  only 
made  use  of  the  default  profile,  but  the  ability  to  target  profiles  for  different 
computers  or  users  is  available.  Each  profile  consists  of  channels  and  ser¬ 
vices  (applications).  The  administrator  selects  which  channels  to  protect, 
and  then  configures  the  blocking  actions  for  the  desired  groups  of  applica¬ 
tions,  or  individual  applications. 

The  option  to  globally  block  or  confirm  actions  is  available,  but  is  not 
recommended,  as  this  might  interfere  with  Windows.  During  this  process, 
we  occasionally  encountered  “Security  Clearance”  errors  when  clicking 
through  a  page  before  it  had  fully  loaded.  In  more  than  one  instance,  this 
resulted  in  the  loss  of  all  changes  made  to  the  profile  since  the  last  explicit 
save.  The  product  also  lacks  the  ability  to  block  files  based  upon  file  name, 
as  Websense  does  not  see  this  as  a  useful  feature.  For  this  test,  keyword 


Performance  results 


Percentages  reflect  success  rate  in  blocking  sensitive 
data  from  leaving  the  endpoint. 

Overall  score  (588  total  tests) 
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1.  Included  tests  of  exfiltrating  the  entire  document,  a  page  from  the  document, 
a  paragraph  from  the  document,  and  a  sentence  from  the  document. 

2.  Both  vendors  claim  that  this  functionality  is  useless,  as  file  name  doesn’t 
necessarily  imply  anything  about  the  content.  The  reviewers  were  able  to  configure 
keyword  policies  to  emulate  this  functionality,  but  performance  suffered. 

3.  Includes  obfuscation  tests  of:  compression  (TAR,  gzip,  and  zip),  Base64  encoding. 
UUEncoding,  and  replacing  all  instances  of  the  words  ‘‘IPv6''  with  "goods''. 


blocking  was  able  to  serve  the  same  function  in  most  cases. 

In  all  three  products,  changes  to  the  configuration  must  be  pushed  out  to 
the  endpoints.  With  LeakProof  and  Data  Endpoint,  the  policies  are  given 
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version  numbers,  which  makes  checking  for  up-to-date  configurations 
trivial.  In  Data  Endpoint,  the  interval  at  which  endpoints  check  for  pol¬ 
icy  and  profile  updates  is  configurable  by  the  administrator  (in  intervals 
as  short  as  one  minute).  All  endpoints  update  their  policy  upon  system 
startup. 

LeakProof  has  a  very  clearly  labeled  Web  interface  that  was  easy  to  use. 
It  included  a  configuration  flowchart  that  made  it  clear  which  steps  needed 
to  be  taken  to  configure  the  system.  Like  Data  Endpoint,  LeakProof  can 
enforce  policies  globally,  or  at  the  finer  level  of  user  or  computer  groups. 
An  additional  feature  was  the  ability  to  create  conditional  rules.  For  exam¬ 
ple:  if  the  file  contains  “Top  Secret”  but  not  “Approved  for  Release”  then 
take  some  blocking  action.  The  Web  interface  was  easy  enough  to  use  that 
minimal  reference  to  the  documentation  was  needed,  and  support  only 
needed  to  be  contacted  once. 

Identity  Finder’s  configuration  interface  lags  somewhat  behind  the 
other  two  in  ease  of  use.  The  policy  configuration  is  reminiscent  of  Micro¬ 
soft  Group  Policy  in  that  the  administrator  is  faced  with  a  rather  daunting 
tree  of  jargon-filled  options.  However,  once  we  established  the  difference 
between  “Anyfind”  and  “Onlyfind”,  the  explanations  given  in  the  interface 
were  sufficient  to  configure  the  system  to  test  specifications.  This  prod¬ 
uct  was  only  tested  on  its  ability  to  detect  HIPAA-  and  PCI-related  data, 
as  that  is  its  main  focus.  Custom  regular  expressions  can  be  used  to  find 
other  types  of  data,  but  those  seem  to  lie  in  the  periphery  of  this  product’s 
functionality. 

The  Identity  Finder  enterprise  administrator  has  the  ability  to  control 
which  remediation  measures  users  can  take,  and  what  configuration 
options  are  available  to  them.  The  endpoint  was  easier  to  configure  from 
its  local  console  than  from  the  central  console. 

Performance 

After  completing  configuration,  we  tried  combinations  of  protected  file, 
exfiltration  method,  operating  system  and  vendor  (588  tests  in  all).  The 
general  categories  of  protected  files  were:  HIPAA-relevant  data,  PCI-rel- 
evant  data,  code  in  several  languages,  a  (formerly)  classified  document,  a 
legal  document,  a  media  file,  an  empty  file  used  to  check  file  name  blocking, 
and  a  standards  document  —  including  six  obfuscations. 

The  exfiltration  methods  were:  copying  to  a  USB  drive;  burning  to  a  CD; 
printing  to  a  network  printer;  sending  IMs;  e-mailing  via  a  Web-based  cli¬ 
ent,  an  open  source  client,  and  Outlook  Express/Windows  mail;  sharing 
via  a  peer-to-peer  client;  copying  to  a  network  share;  and  pasting  the  con¬ 
tents  of  the  file  into  Wordpad. 

Not  every  test  was  possible  on  every  configuration.  Identity  Finder  has 
no  blocking  ability,  therefore  it  is  not  included  in  these  performance  tests. 

LeakProof  won  our  performance  testing,  scoring  a  76%  overall  success 
rate  to  68%  for  Data  Endpoint.  LeakProof  scored  100%  in  blocking  HIPAA 
and  PCI  data,  100%  blocking  various  types  of  code  and  96%  blocking  dif¬ 
ferent  access  to  media,  such  as  thumb  drives  and  CDs.  LeakProof  scored 
only  29%  blocking  legal  documents  and  18%  blocking  via  file  names, 
although  the  company  argues  that  this  functionality  is  irrelevant  because 
file  names  don’t  tell  you  anything  about  the  content  of  the  file. 

When  it  came  to  exfiltration  methods,  LeakProof  was  remarkably  con¬ 
sistent,  blocking  roughly  75%  of  sensitive  data  no  matter  which  method 
was  used.  LeakProof  did  have  a  problem  blocking  smaller  portions  of  a 
fingerprinted  document. 

Though  Data  Endpoint  was  able  to  catch  pages,  it  was  not  able  to  catch 
paragraph-  or  sentence-sized  excerpts.  This  could  pose  a  problem  for  docu¬ 
ments  where  only  a  couple  paragraphs  contain  truly  sensitive  information. 
Fortunately,  most  scenarios  where  this  would  pose  a  problem  are  handled 
by  other  mechanisms  (such  as  pattern  matching  and  keyword  blocking). 

Data  Endpoint  scored  higher  than  LeakProof  in  many  categories  of 
exfiltration  methods.  For  example,  85%  each  for  blocking  via  USB  drive, 
CD  and  Webmail,  compared  with  75%  for  LeakProof  in  those  three  cat¬ 
egories.  However,  the  current  version  of  Data  Endpoint  doesn’t  block  users 
from  moving  data  to  shared  network  drives  without  denying  Windows 


access  to  these  files,  so  it  scored  a  zero  in  that  category.  Websense  plans  to 
provide  enhanced  support  for  CIFS  shares  in  Version  7.5,  which  should 
remedy  this  shortcoming. 

While  neither  product  had  an  explicit  file  name  matching  ability,  the 
keyword  ability  in  Data  Endpoint  was  able  to  largely  achieve  the  same 
purpose. 

Identity  Finder  performed  well  within  its  intended  purpose.  The  only 
HIPAA-  or  PCI-related  data  it  did  not  identify  was  American  Express 
card  numbers.  It  had  no  trouble  with  MasterCard  or  Visa  numbers, 
names,  addresses,  phone  numbers  or  Social  Security  numbers.  How¬ 
ever,  it  also  found  a  large  number  of  false  positives  in  Windows  system 
dynamic  link  libraries  and  other  program  files  that  it  thought  were  sensi¬ 
tive  information. 

System  resources 

Data  Endpoint  seemed  to  be  the  most  lightweight  of  the  agents.  It  only  con¬ 
sumed  up  to  30MB  of  memory,  and  a  small  share  of  the  processor.  Hard 
disk  usage  was  between  68MB  (in  Windows  2008)  and  91MB  (in  Vista). 
It’s  worth  repeating  that  it  was  the  only  program  with  an  option  to  throttle 
discovery  network  usage. 

LeakProof  used  a  quarter  to  half  of  the  processor,  and  a  max  of  50MB  of 
memory.  Hard  drive  space  was  a  little  less  than  Data  Endpoint,  weighing  in 
at  55M  to  67MB  (again  with  Win  2008  taking  the  least  and  Vista  taking  the 
most).  Blocking  actions  never  got  in  the  way  of  system  operation. 

Identity  Finder’s  discovery  scan  consumed  most  of  the  processor  and 
up  to  60MB  of  memory.  Canceling  a  scan  forced  the  program  to  finish 
scanning  the  file  it  was  on  before  it  would  terminate.  Hard  disk  usage  was 
consistent  around  47MB. 

Product  summaries 

LeakProof  was  the  best  general-purpose  endpoint  DLP  tool  of  the  three. 
Configuration  was  painless,  performance  was  tops,  it  was  the  least  obtru¬ 
sive  and  it  enforced  policies  across  the  entire  system. 

Data  Endpoint  by  far  gives  the  administrator  the  most  power.  The  fully 
packaged  installation,  ability  to  draw  on  a  large  selection  of  policy  tem¬ 
plates  from  around  the  world,  scriptable  custom  actions  upon  detection, 
tailored  actions  per-application,  and  scheduled  fingerprinting  of  files  in  a 
network  share  make  DSS  by  far  the  most  attractive  feature-wise. 

However,  the  application-centricity  requires  the  administrator  to  main¬ 
tain  vigilance  of  the  applications  installed  on  the  network,  and  keep  the 
endpoint  profiles  up  to  date.  It  also  means  the  administrator  can’t  apply 
policies  that  restrict  a  user  from  moving  the  files  around  in  Windows.  It 
also  suffered  from  small  glitches  in  the  configuration  interface  and  user 
experience.  With  a  bit  of  polish  on  the  interface  and  some  improvements 
to  the  blocking  accuracy,  this  would  be  a  stellar  product. 

Identity  Finder  seems  best  suited  to  smaller  organizations  where  the 
responsibility  of  data  protection  can  be  delegated  to  the  user  base.  Enter¬ 
prise-level  configuration  is  not  quite  on  par  with  Data  Endpoint  and  Leak- 
Proof,  and  the  lack  of  a  blocking  function  precludes  it  from  the  circle  of  big 
time  DLP  vendors.  On  the  other  hand,  the  remediation  abilities  it  gives  to 
users  are  impressive,  the  endpoint  interface  is  friendly  and  easy  to  under¬ 
stand,  and  it  is  very  good  at  its  intended  purpose  —  finding  identity- related 
data.  Identity  Finder  was  also  the  only  product  that  supported  Mac  OS.  ■ 

Blakely  is  pursuing  his  Doctorate  of  Philosophy  in  Computer  Engineering 
at  the  Iowa  State  University  of  Science  and  Technology.  He  works  as  a 
research  assistant  at  the  Iowa  State  University  Internet-Scale  Event  and 
Attack  Generation  Environment  Laboratory  (ISEAGE).  He  can  be  reached 
at  bab@iastate.edu. 

Rabe  is  a  graduate  student  at  the  Iowa  State  University  of  Science 
and  Technology.  He  is  pursuing  his  Master's  of  Science  in  Computer 
Engineering  and  Information  Assurance.  Duffy  is  a  senior  undergraduate 
student  at  the  Iowa  State  University  of  Science  and  Technology. 
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BACKSPIN  BY  MARK  GIBBS 

Dear  Vendor ... 

DEAR  VENDOR  ... 

Really?  Is  that  the  best  you  can  do?  Are  you  really 
that  lame?  Yes,  I’m  talking  to  you,  vendor  X. 

I  just  looked  at  your  Web  site.  I  downloaded  your  white  papers,  read 
your  virtual  product  sheets  and  looked,  to  no  avail,  for  your  price  list.  For 
heaven’s  sake,  I  just  watched  your  online  video!  You  know,  the  one  where 
you,  for  want  of  a  better  term,  “demo’ed”  your  product!  What’s  the  word  I’m 
looking  for . . .  ?  Oh  yeah.  LAME! 

You  sound  like  you’re  on  some  kind  of  medication.  You  sounded  like 
you’d  rather  be  doing  anything  else  other  than  pitching  your  product.  And 
you  sounded  like  you  were  making  it  up  as  you  went  along.  If  you  want  to 
sell  me  you’re  going  to  have  to  do  a  lot  better  than  that. 

If  you  aren’t  excited  by  your  product  then  why  should  I  be  excited?  If  you 
can’t  give  me  a  succinct,  interesting  elevator  pitch  (I  swear,  I’m  getting  off 
when  we  reach  the  10th  floor),  don’t  expect  me  to  give  a  dang. 

Everyone  in  IT  is  constantly  bombarded  with  pitches.  “Read  my  white 
paper.”  “Read  this  half-baked  review  by  someone  who  has  no  idea  that  a 
review  isn’t  about  regurgitating  a  press  release.”  “Read  my  Web  site.”  “Read 
what  this  overpaid  analyst  has  to  say  about  me.”  Me,  me,  me.  Get  a  grip! 

You  know  what?  Your  Web  site  stinks.  Yep.  It  really  does.  You  don’t 
explain  what  your  product  really  does.  Sure,  you  use  the  industry  stan¬ 
dard  buzzwords.  You  have  a  big  analyst  opine  on  your  “magic”.  But  really, 
are  you  telling  a  story  I  give  a  rat’s  anything  about?  Nope. 

How  about  what  the  analyst  really  had  to  say?  You  think  that  is  the  same 
as  showing  that  your  product  actually  works?  That  showing  that  someone, 
somewhere,  has  bought  off  on  it  in  a  big  enough  way  that  they  have  actu¬ 
ally  made  a  real  commitment  to  it  and  got  value  from  it? 

Don’t  just  wave  your  marketing  hands  at  me.  Don’t  assume  that  your 


language  and  mine  are  the  same,  that  when  you  explain  that  your  prod¬ 
uct  is  “an  integrated,  real-time,  global  solution  to  intrinsic  variability  in 
zippydoodah  dynamics”,  or  whatever  yuck-speak  you  think  defines  your 
industry,  that  I  will  actually  believe  that  it  means  something  in  the  real 
world  of  IT.  It  won’t! 

Here’s  what  I  want . . .  First,  explain  what  you  do.  Don’t  talk  down  to  me. 
You’ve  got  to  understand  that  I’ve  been  around  the  IT  block  a  few  times. 
I  know  this  industry.  And  don’t  assume  that  your  terminology  is  under¬ 
standable  outside  of  your  niche.  If  you  don’t  speak  in  a  way  that  I  under¬ 
stand  then  I’ll  be  tuning  out  faster  than  you  can  say  “bankruptcy.” 

Next,  give  me  an  idea  of  what  your  product  actually  costs.  Don’t  try  to  get 
me  to  fill  in  forms  to  generate  a  lead  (I’ll  probably  lie  anyway). 

And  don’t  try  to  use  the  “it  depends”  argument;  I  know  what  that  phrase 
means.  It  means:  “We’re  going  to  try  to  screw  every  cent  out  of  you  that  we 
can”  and  at  that  point,  you  have  just  lost  most  or  perhaps  all  of  your  cred¬ 
ibility.  That’s  assuming  you  haven’t  already  killed  off  my  interest  with  your 
pathetic  explanation  of  whatever  it  is  you  think  you  do. 

If  your  pitch  is  really  interesting  then  I  might  hang  in  there  while  you 
beat  about  the  pricing  bush,  but  if  that’s  the  case  then  you’d  better  have  a 
killer  product.  If  you  don’t,  well,  I  have  real  fires  to  put  out  and,  as  far  as  I’m 
concerned,  you  can  go  up  in  flames  and  good  luck  to  you. 

My  time  isn’t  just  valuable;  my  time  is  the  stuff  that  animates  the  uni¬ 
verse.  Well,  at  least  my  universe.  Want  my  attention?  Show  me  what  you’ve 
got,  what  it  really  costs,  and  be  good  and  be  quick  about  it. 

Theoretically  yours, 

A  Potential  Customer.  H 

Gibbs  is  a  tough  sell  in  Ventura,  Calif.  Your  pitch  to  backspin@gibbs.com. 


NETBUZZ  BY  PAUL  McNAMARA 


Silliest  ‘wiretapping’  charges  ever  recorded 


CHI  QUANG  TRUONG,  46,  is  being  charged  by 
police  in  Natick,  Mass.,  with  “unlawful  wiretap¬ 
ping  and  possessing  a  device  for  wiretapping,” 
according  to  a  story  in  The  Metro  West  Daily  News  (my  former  employer, 
incidentally). 

If  you’re  thinking  foreign  spy  or  industrial  espionage,  think  again. 

. . .  Try  an  irate  customer  who  kicked  up  a  fuss  at  a  car  dealer’s  service 
department. 

And  that  “device  for  wiretapping?” . . .  Try  nothing  more  sophisticated 
than  a  handheld  digital  voice  recorder;  an  Olympus,  to  be  precise. 

If  you  cannot  imagine  what  could  be  going  on  here,  chances  are  you’ve 
not  had  reason  to  brush  up  on  the  laws  governing  the  tape  recording  of 
conversations.  (Journalists  know  all  about  this  stuff.) 

Truong’s  travails  began  with  a  beef  familiar  to  all  of  us:  Unsatisfied  with 
the  timeliness  in  which  his  car  was  repaired,  he  demanded  $300  compen¬ 
sation  from  the  dealer.  His  demand  was  met  with  a  series  of  counteroffers, 
which  were  rebuffed  and  followed  by  an  escalating  confrontation,  which 
resulted  in  the  dealer  calling  the  cops. 

From  the  story;  “Police  arrested  a  man  they  say  caused  a  disturbance  at  a 
Honda  dealership  and  who,  it  was  later  discovered,  had  been  recording  the 
exchange  with  a  voice  recorder  in  his  pocket.  Police  said  Truong  became 
irate  and  blocked  the  dealership’s  service  bay  with  his  car.  Workers  at  Ber- 
nardi  Honda  asked  Truong  to  leave  and  he  refused,  (Lt.  Brian)  Grassey 
said.  During  his  arrest,  Truong  tried  to  resist  police. 

'After  officers  placed  Truong  under  arrest,  Grassey  said  they  discovered 
an  Olympus  digital  voice  recorder  in  his  pocket.  Truong  didn’t  say  why  he 
was  taping,  Grassey  said.” 

Truong  faces  charges  of  disorderly  conduct,  resisting  arrest  and 


trespassing,  in  addition  to  the  unlawful  wiretapping  and  possessing  a 
device  for  wiretapping  raps. 

Although  not  specified  in  the  story,  I’ll  go  out  on  a  limb  and  suggest  that 
the  reason  Truong  was  hit  with  the  “wiretapping”  charges  —  I  mean  other 
than  the  fact  he  allegedly  gave  the  police  a  hard  time  —  was  that  he  failed 
to  inform  the  employees  at  the  dealership  that  he  was  tape-recording  their 
conversation.  Twelve  states,  including  my  beloved  Massachusetts,  require 
that  all  parties  to  a  conversation  be  informed  before  anyone  can  hit  the 
record  button  on  whatever  device  they’re  packing  or  yacking  on. 

Federal  law  has  no  problem  with  such  recordings  and  38  states,  as  well 
as  the  District  of  Columbia,  concur.  However,  according  to  The  Report¬ 
ers  Committee  for  Freedom  Web  site:  “Twelve  states  require,  under  most 
circumstances,  the  consent  of  all  parties  to  a  conversation.  Those  juris¬ 
dictions  are  California,  Connecticut,  Florida,  Illinois,  Maryland,  Massa¬ 
chusetts,  Michigan,  Montana,  Nevada,  New  Hampshire,  Pennsylvania 
and  Washington.  Be  aware  that  you  will  sometimes  hear  these  referred  to 
inaccurately  as  'two-party  consent’  laws.  If  there  are  more  than  two  people 
involved  in  the  conversation,  all  must  consent  to  the  taping.” 

In  my  view  it’s  the  federal  law  and  38  “one-party  consent”  states  that 
have  this  one  called  correctly,  and  the  12  others  that  have  some  explaining 
to  do.  The  justification  for  criminalizing  self- authorized  self-recording  has 
never  been  made  clear  to  me;  best  I  get  from  friends  and  colleagues  is  that 
being  recorded  without  one’s  knowledge  “is  creepy.” 

Yes  it  is,  or  at  least  it  can  be  in  some  cases. 

But  so  is  charging  a  guy  with  “wiretapping”  just  because  he  tossed  a 
nutty  at  a  car  dealership.  IS 
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SOFITEL  MELBOURNE  ON  COLLINS 


NEC  GIVES  SOFITEL 
WHAT  GUESTS  EXPECT- 
RIGHT  SERVICE,  RIGHT  TIME 


Thanks  to  technology  and  a  partnership  with  NEC,  Sofitel 
Melbourne  has  some  pretty  happy  customers.  A  new  digital 
signage  solution  has  replaced  posted  hotel  information 
with  a  total  digital  installation  that  can  provide  pertinent 
and  timely  information  to  specific  audiences.  "NEC  had  a 
perfect  solution  for  us,"  says  genera!  manager,  Clive  Scott. 
Digital  signage  cuts  costs,  helps  build  branding,  and  is 
helping  Sofitel  turn  customers  into  return  customers. 


Clive  Scott 
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